From 4e873db7497b60635be173ecd707af2fb465f52c Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sat, 21 Mar 2026 18:23:13 +0000 Subject: [PATCH 1/7] Should be the final before suricata, v3 FUCK --- ROUTER.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ROUTER.sh b/ROUTER.sh index 37327ba..d3cf74a 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -87,9 +87,9 @@ sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 - sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --sport 21 -j ACCEPT #Changed sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED #SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface -sudo iptables -t nat -A PREROUTING -s $dn2 -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $dn2 -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --sport 22 -j ACCEPT #Need to check and make diferent ip addresses sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --sport 22 -j ACCEPT From 1f99e5d28aa53eb0fcbb9798f2c9d6dafe1a15c1 Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sat, 21 Mar 2026 18:38:11 +0000 Subject: [PATCH 2/7] Should be the final before suricata, v4 --- INTERNET.sh | 4 ++-- ROUTER.sh | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/INTERNET.sh b/INTERNET.sh index 0483aae..2211083 100644 --- a/INTERNET.sh +++ b/INTERNET.sh @@ -9,7 +9,7 @@ sudo systemctl disable firewalld sudo systemctl mask firewalld sudo systemctl enable iptables sudo iptables -F -sudo ifconfig enp0s8 $dn2 netmask $mask24 +sudo ifconfig enp0s8 $dns2 netmask $mask24 sudo route add default gw $routerIp -sudo ip addr add $dns2 dev enp0s8 +#sudo ip addr add $dns2 dev enp0s8 sudo ip addr add $eden dev enp0s8 \ No newline at end of file diff --git a/ROUTER.sh b/ROUTER.sh index d3cf74a..d2c4360 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -91,6 +91,8 @@ sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --dport 22 - sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s 87.248.214.0/24 -d 87.248.214.97 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2 +sudo iptables -t nat -A PREROUTING -s 87.248.214.0/24 -d 87.248.214.97 -p tcp --sport 21 -j DNAT --to-destination 192.168.10.2 sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --sport 22 -j ACCEPT #Need to check and make diferent ip addresses sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --sport 22 -j ACCEPT sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses From 79be50b220341c7a4d15b0244c030098afb5b852 Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sat, 21 Mar 2026 19:17:12 +0000 Subject: [PATCH 3/7] Should be the final before suricata, v4 --- ROUTER.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ROUTER.sh b/ROUTER.sh index d2c4360..cc902b9 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -87,12 +87,12 @@ sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 - sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --sport 21 -j ACCEPT #Changed sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED #SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface -sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $dns2 -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s 87.248.214.0/24 -d 87.248.214.97 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2 -sudo iptables -t nat -A PREROUTING -s 87.248.214.0/24 -d 87.248.214.97 -p tcp --sport 21 -j DNAT --to-destination 192.168.10.2 +sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $eden -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2 +sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --sport 21 -j DNAT --to-destination 192.168.10.2 sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --sport 22 -j ACCEPT #Need to check and make diferent ip addresses sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --sport 22 -j ACCEPT sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses From cd057575755c47213d047b46b995a6a133e8ff25 Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sat, 21 Mar 2026 19:43:15 +0000 Subject: [PATCH 4/7] Actually done, now going to suricata this guy. --- ROUTER.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ROUTER.sh b/ROUTER.sh index cc902b9..f398568 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -85,6 +85,7 @@ sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 - sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT #NEDDS testing #FTP da internet WORRIED ??? sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --sport 21 -j ACCEPT #Changed +sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED #SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 From e407142f668adf563e0586112851aae4c45ac048 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 22 Mar 2026 10:41:11 +0000 Subject: [PATCH 5/7] Suricata done --- suricata.rules | 5 + suricata.yaml | 2242 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2247 insertions(+) create mode 100644 suricata.rules create mode 100644 suricata.yaml diff --git a/suricata.rules b/suricata.rules new file mode 100644 index 0000000..9c84dbe --- /dev/null +++ b/suricata.rules @@ -0,0 +1,5 @@ +drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;) +drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;) +drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;) +drop tcp any any -> any 80 (msg:"XSS"; content:" %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #extended: yes # Log extended information like fingerprint + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in the directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: yes + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value, ring buffer mode is enabled. Will keep maximum of + # "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: sguil # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + dir: /var/log/suricata/pcaps/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged. + # Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag" + # to log only flow tagged via the "tag" keyword + #conditional: all + + # a full alert log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0. Default: no + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If omitted the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # Output module for storing files on disk. Files are stored in + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the timestamps on the existing file + # are updated. + # + # Unlike the older filestore, metadata is not written by default + # as each file should already have a "fileinfo" record in the + # eve-log. If write-fileinfo is set to yes, then each file will have + # one more associated .json files that consist of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. Relative pathnames + # are contained within the "default-log-dir". + #dir: filestore + + # Write out a fileinfo record for each occurrence of a file. + # Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited; otherwise, + # must be greater than the global stream-depth value to be used. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write to the file. + #max-open-files: 1000 + + # Force logging of checksums: available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported. If more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # Log TCP data after stream normalization + # Two types: file or dir: + # - file logs into a single logfile. + # - dir creates 2 files per TCP session and stores the raw TCP + # data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by "stream.reassembly.depth" + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, de-chunking and unzipping. + # Two types: file or dir. + # - file logs into a single logfile. + # - dir creates 2 files per HTTP session and stores the + # normalized data into them. + # Use 'both' to enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://docs.suricata.io/en/latest/output/lua-output.html + - lua: + enabled: no + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level: can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default: console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.log + # format: "[%i - %m] %z %d: %S: %M" + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + + +## +## Step 3: Configure common capture settings +## +## See "Advanced Capture Options" below for more options, including Netmap +## and PF_RING. +## + +# Linux high speed capture support +af-packet: + - interface: eth0 + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_flow: all packets of a given flow are sent to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are sent to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_ebpf: eBPF file load balancing. See doc/userguide/capture-hardware/ebpf-xdp.rst for + # more info. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (requires cpu affinity tuning and system IRQ tuning) + # cluster_rollover has been deprecated; if used, it'll be replaced with cluster_flow. + cluster-type: cluster_flow + # In some fragmentation cases, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + #use-mmap: yes + # Lock memory map to avoid it being swapped. Be careful that over + # subscribing could lock your system + #mmap-locked: yes + # Use tpacket_v3 capture mode, only active if use-mmap is true + # Don't use it in IPS or TAP mode as it causes severe latency + #tpacket-v3: yes + # Ring size will be computed with respect to "max-pending-packets" and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow "cluster-type" and have really network + # intensive single-flow you may want to set the "ring-size" independently of the number + # of threads: + #ring-size: 2048 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # Block size for tpacket-v2. In 7.0.9 the built-in default was + # increased from 32768 to 131072. Uncomment and reset back to + # 32768 if this is a problem with your configuration. + #v2-block-size: 131072 + # On busy systems, set it to yes to help recover from a packet drop + # phase. This will result in some packets (at max a ring flush) not being inspected. + #use-emergency-flush: yes + # recv buffer size, increased value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'capture.checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax applies here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + # For eBPF and XDP setup including bypass, filter and load balancing, please + # see doc/userguide/capture-hardware/ebpf-xdp.rst for more info. + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: no + #tpacket-v3: yes + +# Linux high speed af-xdp capture support +af-xdp: + - interface: default + # Number of receive threads. "auto" uses least between the number + # of cores and RX queues + #threads: auto + #disable-promisc: false + # XDP_DRV mode can be chosen when the driver supports XDP + # XDP_SKB mode can be chosen when the driver does not support XDP + # Possible values are: + # - drv: enable XDP_DRV mode + # - skb: enable XDP_SKB mode + # - none: disable (kernel in charge of applying mode) + #force-xdp-mode: none + # During socket binding the kernel will attempt zero-copy, if this + # fails it will fallback to copy. If this fails, the bind fails. + # The bind can be explicitly configured using the option below. + # If configured, the bind will fail if not successful (no fallback). + # Possible values are: + # - zero: enable zero-copy mode + # - copy: enable copy mode + # - none: disable (kernel in charge of applying mode) + #force-bind-mode: none + # Memory alignment mode can vary between two modes, aligned and + # unaligned chunk modes. By default, aligned chunk mode is selected. + # select 'yes' to enable unaligned chunk mode. + # Note: unaligned chunk mode uses hugepages, so the required number + # of pages must be available. + #mem-unaligned: no + # The following options configure the prefer-busy-polling socket + # options. The polling time and budget can be edited here. + # Possible values are: + # - yes: enable (default) + # - no: disable + #enable-busy-poll: yes + # busy-poll-time sets the approximate time in microseconds to busy + # poll on a blocking receive when there is no data. + #busy-poll-time: 20 + # busy-poll-budget is the budget allowed for packet batches + #busy-poll-budget: 64 + # These two tunables are used to configure the Linux OS's NAPI + # context. Their purpose is to defer enabling of interrupts and + # instead schedule the NAPI context from a watchdog timer. + # The softirq NAPI will exit early, allowing busy polling to be + # performed. Successfully setting these tunables alongside busy-polling + # should improve performance. + # Defaults are: + #gro-flush-timeout: 2000000 + #napi-defer-hard-irq: 2 + +dpdk: + eal-params: + proc-type: primary + + # DPDK capture support + # RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio + interfaces: + - interface: 0000:3b:00.0 # PCIe address of the NIC port + # Threading: possible values are either "auto" or number of threads + # - auto takes all cores + # in IPS mode it is required to specify the number of cores and the numbers on both interfaces must match + threads: auto + # interrupt-mode: false # true to switch to interrupt mode + promisc: true # promiscuous mode - capture all packets + multicast: true # enables also detection on multicast packets + checksum-checks: true # if Suricata should validate checksums + checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources) + mtu: 1500 # Set MTU of the device in bytes + # rss-hash-functions: 0x0 # advanced configuration option, use only if you use untested NIC card and experience RSS warnings, + # For `rss-hash-functions` use hexadecimal 0x01ab format to specify RSS hash function flags - DumpRssFlags can help (you can see output if you use -vvv option during Suri startup) + # setting auto to rss_hf sets the default RSS hash functions (based on IP addresses) + + # To approximately calculate required amount of space (in bytes) for interface's mempool: mempool-size * mtu + # Make sure you have enough allocated hugepages. + # The optimum size for the packet memory pool (in terms of memory usage) is power of two minus one: n = (2^q - 1) + mempool-size: 65535 # The number of elements in the mbuf pool + + # Mempool cache size must be lower or equal to: + # - RTE_MEMPOOL_CACHE_MAX_SIZE (by default 512) and + # - "mempool-size / 1.5" + # It is advised to choose cache_size to have "mempool-size modulo cache_size == 0". + # If this is not the case, some elements will always stay in the pool and will never be used. + # The cache can be disabled if the cache_size argument is set to 0, can be useful to avoid losing objects in cache + # If the value is empty or set to "auto", Suricata will attempt to set cache size of the mempool to a value + # that matches the previously mentioned recommendations + mempool-cache-size: 257 + rx-descriptors: 1024 + tx-descriptors: 1024 + # + # IPS mode for Suricata works in 3 modes - none, tap, ips + # - none: IDS mode only - disables IPS functionality (does not further forward packets) + # - tap: forwards all packets and generates alerts (omits DROP action) This is not DPDK TAP + # - ips: the same as tap mode but it also drops packets that are flagged by rules to be dropped + copy-mode: none + copy-iface: none # or PCIe address of the second interface + + - interface: default + threads: auto + promisc: true + multicast: true + checksum-checks: true + checksum-checks-offload: true + mtu: 1500 + rss-hash-functions: auto + mempool-size: 65535 + mempool-cache-size: 257 + rx-descriptors: 1024 + tx-descriptors: 1024 + copy-mode: none + copy-iface: none + + +# Cross platform libpcap capture support +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmap'ed capture and will use "buffer-size" + # as total memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'capture.checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like Myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + # tenant-id: none # applies in multi-tenant environment with "direct" selector + # delete-when-done: false # applies to file and directory + + # PCAP Directory Processing options + # recursive: false + # continuous: false + # delay: 30 # seconds to wait before processing the newly added PCAPs + # poll-interval: 5 # how often to check the directory + +# See "Advanced Capture Options" below for more options, including Netmap +# and PF_RING. + + +## +## Step 4: App Layer Protocol configuration +## + +# Configure the app-layer parsers. +# +# The exception policy error-policy setting applies to all app-layer parsers. +# Values can be "drop-flow", "pass-flow", "bypass", "drop-packet", "pass-packet", +# "reject" or "ignore" (the default). +# +# The protocol's section details each protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + # error-policy: ignore + protocols: + telnet: + enabled: yes + rfb: + enabled: yes + detection-ports: + dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 + mqtt: + enabled: yes + # max-msg-length: 1mb + # subscribe-topic-match-limit: 100 + # unsubscribe-topic-match-limit: 100 + # Maximum number of live MQTT transactions per flow + # max-tx: 4096 + krb5: + enabled: yes + bittorrent-dht: + enabled: yes + snmp: + enabled: yes + ike: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3/JA4 fingerprints from client hello. If not specified it + # will be disabled by default, but enabled if rules require it. + #ja3-fingerprints: auto + #ja4-fingerprints: auto + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encryption-handling: default + + pgsql: + enabled: no + # Stream reassembly size for PostgreSQL. By default, track it completely. + stream-depth: 0 + # Maximum number of live PostgreSQL transactions per flow + # max-tx: 1024 + dcerpc: + enabled: yes + # Maximum number of live DCERPC transactions per flow + # max-tx: 1024 + ftp: + enabled: yes + # memcap: 64mb + rdp: + #enabled: yes + ssh: + enabled: yes + #hassh: yes + http2: + enabled: yes + # Maximum number of live HTTP2 streams in a flow + #max-streams: 4096 + # Maximum headers table size + #max-table-size: 65536 + # Maximum reassembly size for header + continuation frames + #max-reassembly-size: 102400 + smtp: + enabled: yes + raw-extraction: no + # Maximum number of live SMTP transactions per flow + # max-tx: 256 + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supersedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. Base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Scheme of URLs to extract + # (default is [http]) + #extract-urls-schemes: [http, https, ftp, mailto] + # Log the scheme of URLs that are extracted + # (default is no) + #log-url-scheme: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139, 445 + # Maximum number of live SMB transactions per flow + # max-tx: 1024 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + nfs: + enabled: yes + # max-tx: 1024 + tftp: + enabled: yes + dns: + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + + # Byte Range Containers default settings + # byterange: + # memcap: 100mb + # timeout: 60 + + # memcap: Maximum memory capacity for HTTP + # Default is unlimited, values can be 64mb, e.g. + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # + # For advanced options, see the user guide + + + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personality: List of personalities used by this block + # + # Then, all the fields from default-config can be overloaded + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. Disabled by default. + # Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: no + type: both + compress-depth: 100kb + decompress-depth: 100kb + + # Use a random value for inspection sizes around the specified value. + # This lowers the risk of some evasion techniques but could lead + # to detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If "randomize-inspection-sizes" is active, the value of various + # inspection size will be chosen from the [1 - range%, 1 + range%] + # range + # Default value of "randomize-inspection-range" is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + # Can enable LZMA decompression + #lzma-enabled: false + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + # Maximum number of live transactions per flow + #max-tx: 512 + # Maximum used number of HTTP1 headers in one request or response + #headers-limit: 1024 + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the limited usage in the field. + # Only Modbus message length (greater than Modbus header length) + # and protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positives + modbus: + # How many unanswered Modbus requests are considered a flood. + # If the limit is reached, the app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: no + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: no + detection-ports: + dp: 44818 + sp: 44818 + + ntp: + enabled: yes + + quic: + enabled: yes + + dhcp: + enabled: yes + + sip: + #enabled: yes + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + +# Datasets default settings +datasets: + # Default fallback memcap and hashsize values for datasets in case these + # were not explicitly defined. + defaults: + #memcap: 100mb + #hashsize: 2048 + + # Limits for per rule dataset instances to avoid rules using too many + # resources. + # Note: in Suricata 8 the built-in default will be set to lower values. + limits: + # Max value for per dataset `hashsize` setting + #single-hashsize: 262144 + # Max combined hashsize values for all datasets. + #total-hashsizes: 67108864 + + rules: + # Set to true to allow absolute filenames and filenames that use + # ".." components to reference parent directories in rules that specify + # their filenames. + #allow-absolute-filenames: false + + # Allow datasets in rules write access for "save" and + # "state". This is enabled by default, however write access is + # limited to the data directory. + #allow-write: true + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run Suricata with a specific user-id and group-id: +#run-as: +# user: suri +# group: suri + +security: + # if true, prevents process creation from Suricata by calling + # setrlimit(RLIMIT_NPROC, 0) + limit-noproc: true + # Use landlock security module under Linux + landlock: + enabled: no + directories: + #write: + # - /var/run/ + # /usr and /etc folders are added to read list to allow + # file magic to be used. + read: + - /usr/ + - /etc/ + - /etc/suricata/ + + lua: + # Allow Lua rules. Disabled by default. + #allow-rules: false + +# Some logging modules will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If the Suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switched to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Default depends on selected capture +# method. 'workers' generally gives best performance. +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# hash - Flow assigned to threads using the 5-7 tuple hash. +# ippair - Flow assigned to threads using addresses only. +# ftp-hash - Flow assigned to threads using the hash, except for FTP, so that +# ftp-data flows will be handled by the same thread +# +#autofp-scheduler: hash + +# Preallocated size for each packet. Default is 1514 which is the classical +# size for pcap on Ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket that can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: auto + #filename: custom.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +#magic-file: + +# GeoIP2 database file. Specify path and filename of GeoIP2 database +# if using rules with "geoip" rule option. +#geoip-database: /usr/share/GeoIP/GeoLite2-Country.mmdb + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +#packet-alert-max: 15 + +# Exception Policies +# +# Define a common behavior for all exception policies. +# In IPS mode, the default is drop-flow. For cases when that's not possible, the +# engine will fall to drop-packet. To fallback to old behavior (setting each of +# them individually, or ignoring all), set this to ignore. +# All values available for exception policies can be used, and there is one +# extra option: auto - which means drop-flow or drop-packet (as explained above) +# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet, +# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable). +exception-policy: auto + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +# The exception policy memcap-policy value can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). +defrag: + memcap: 32mb + # memcap-policy: ignore + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determines the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At startup, the engine can preallocate a number of flows, to get better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine needs to +# prune before clearing the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing new flows to be created, but +# pruning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. +# If that doesn't work, then it will try to kill the oldest flows using +# last time seen flows. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. +# The exception policy memcap-policy can be "drop-packet", "pass-packet", +# "reject" or "ignore" (which is the default). + +flow: + memcap: 128mb + #memcap-policy: ignore + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of VLAN ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same VLAN +# tag, we can ignore the VLAN id's in the flow hashing. +vlan: + use-for-tracking: true + +# This option controls the use of livedev ids in the flow (and defrag) +# hashing. This is enabled by default and should be disabled if +# multiple live devices are used to capture traffic from the same network +livedev: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determines the seconds to wait after a handshake or +# stream startup before the engine frees the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if that time elapses +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packets with invalid csum values will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated traffic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2048 # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# midstream-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", +# # "pass-packet", "reject" or "ignore" default is "ignore" +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-syn-queued: 10 # Max different SYNs to queue +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# bypass: no # Bypass packets when stream.reassembly.depth is reached. +# # Warning: first side to reach this triggers +# # the bypass. +# liberal-timestamps: false # Treat all timestamps as if the Linux policy applies. This +# # means it's slightly more permissive. Enabled by default. +# +# reassembly: +# memcap: 256mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# memcap-policy: ignore # The exception policy value can be "drop-flow", +# # "pass-flow", "bypass", "drop-packet", "pass-packet", +# # "reject" or "ignore" default is "ignore" +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lowers the risk of some evasion techniques but could lead +# # to detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# segment-prealloc: 2048 # number of segments preallocated per thread +# +# check-overlap-different-data: true|false +# # check if a segment contains different data +# # than what we've already seen for that +# # position in the stream. +# # This is enabled automatically if inline mode +# # is used or when stream-event:reassembly_overlap_different_data; +# # is used in a rule. +# +stream: + memcap: 64mb + #memcap-policy: ignore + checksum-validation: yes # reject incorrect csums + #midstream: false + #midstream-policy: ignore + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + # experimental TCP urgent handling logic + #urgent: + # policy: inline # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap + # oob-limit-policy: drop + memcap: 256mb + #memcap-policy: ignore + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true + +# Host table: +# +# Host table is used by the tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # as it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + # ports to look for Teredo. Max 4 ports. If no ports are given, or + # the value is set to 'any', Teredo detection runs on _all_ UDP packets. + ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'. + + # VXLAN decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 4789 is enabled. + vxlan: + enabled: true + ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'. + + # Geneve decoder is assigned to up to 4 UDP ports. By default only the + # IANA assigned port 6081 is enabled. + geneve: + enabled: true + ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'. + + # maximum number of decoder layers for a packet + # max-layers: 16 + + # IP-in-IP tunneling for ipv4 over ipv4 handling. + # Disabled by default, as these will impact number of alerts seen, as well as + # number of flows. + # ipv4: + # ipip: + # enabled: true + # track-parent-flow: true # disabled by default + # Set parent flow for packets seen in IP-in-IP tunneling for ipv4 or ipv6 + # over ipv6. + # Disabled by default, as these will impact number of alerts seen, as well as + # number of flows. + # ipv6: + # ipip-ipv4: + # track-parent-flow: true # disabled by default + # ipip-ipv6: + # track-parent-flow: true # disabled by default + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allows us to specify the profile to use for them, to manage memory in an +# efficient way keeping good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom, +# make sure to define the values in the "custom-values" section. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, there are no limits on the recursion. +# When a value is not specified, the default is 3000 +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + #inspection-recursion-limit: 3000 + # try to tie an app-layer transaction for rules without app-layer keywords + # if there is only one live transaction for the flow + # allows to log app-layer metadata in alert + # but the transaction may not be the relevant one. + # guess-applayer-tx: no + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get its own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in memory, in which case one can +# use "full" with "ac". The rest of the mpms can be run in "full" mode. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # to specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitly 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + # + # By default, the per-thread stack size is left to its default setting. If + # the default thread stack size is too small, use the following configuration + # setting to change the size. Note that if any thread's stack size cannot be + # set to this value, a fatal error occurs. + # + # Generally, the per-thread stack-size should not exceed 8MB. + #stack-size: 8mb + +# Luajit has a strange memory requirement, its 'states' need to be in the +# first 2G of the process' memory. +# +# 'luajit.states' is used to control how many states are preallocated. +# State use: per detect script: 1 per detect thread. Per output script: 1 per +# script. +luajit: + states: 128 + +# Profiling settings. Only effective if Suricata has been built with +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every X-th packet. The default is 1, which means we + # profile every packet. If set to 1024, one packet is profiled for every + # 1024 received. The sample rate must be a power of 2. + #sample-rate: 1024 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + # Set active to yes to enable rules profiling at start + # if set to no (default), the rules profiling will have to be started + # via unix socket commands. + #active:no + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + prefilter: + enabled: yes + filename: prefilter_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permits sending all needed packet to Suricata via this rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want a packet to be sent to another queue after an ACCEPT decision +# set the mode to 'route' and set next-queue value. +# On Linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On Linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if Suricata is not able to keep pace. +# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is +# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask +# on packet of a flow that need to be bypassed. The Netfilter ruleset has to +# directly accept all packets of a flow once a packet has been marked. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# bypass-mark: 1 +# bypass-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packets to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the kernel's queue + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +## +## Advanced Capture Options +## + +# General settings affecting packet capture +capture: + # disable NIC offloading. It's restored when Suricata exits. + # Enabled by default. + #disable-offloading: false + # + # disable checksum validation. Same as setting '-k none' on the + # command-line. + #checksum-validation: none + +# Netmap support +# +# Netmap operates with NIC directly in driver, so you need FreeBSD 11+ which has +# built-in Netmap support or compile and install the Netmap module and appropriate +# NIC driver for your Linux system. +# To reach maximum throughput disable all receive-, segmentation-, +# checksum- offloading on your NIC (using ethtool or similar). +# Disabling TX checksum offloading is *required* for connecting OS endpoint +# with NIC endpoint. +# You can find more information at https://github.com/luigirizzo/netmap +# +netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of capture threads. "auto" uses number of RSS queues on interface. + # Warning: unless the RSS hashing is symmetrical, this will lead to + # accuracy issues. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + +# PF_RING configuration: for use with native PF_RING support +# for more info see http://www.ntop.org/products/pf_ring/ +pfring: + - interface: eth0 + # Number of receive threads. If set to 'auto' Suricata will first try + # to use CPU (core) count and otherwise RSS queue count. + threads: auto + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are: + # - cluster_flow: 6-tuple: + # - cluster_inner_flow: 6-tuple: + # - cluster_inner_flow_2_tuple: 2-tuple: + # - cluster_inner_flow_4_tuple: 4-tuple: + # - cluster_inner_flow_5_tuple: 5-tuple: + # - cluster_round_robin (NOT RECOMMENDED) + cluster-type: cluster_flow + + # bpf filter for this interface + #bpf-filter: tcp + + # If bypass is set then the PF_RING hw bypass is activated, when supported + # by the network interface. Suricata will instruct the interface to bypass + # all future packets for a flow that need to be bypassed. + #bypass: yes + + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may have an invalid checksum due to + # the checksum computation being offloaded to the network card. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# N.B. This example uses "8000" -- this number must mach the values +# you passed on the command line, i.e., -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + +napatech: + # When use_all_streams is set to "yes" the initialization code will query + # the Napatech service for all configured streams and listen on all of them. + # When set to "no" the streams config array will be used. + # + # This option necessitates running the appropriate NTPL commands to create + # the desired streams prior to running Suricata. + #use-all-streams: no + + # The streams to listen on when auto-config is disabled or when and threading + # cpu-affinity is disabled. This can be either: + # an individual stream (e.g. streams: [0]) + # or + # a range of streams (e.g. streams: ["0-3"]) + # + streams: ["0-3"] + + # Stream stats can be enabled to provide fine grain packet and byte counters + # for each thread/stream that is configured. + # + enable-stream-stats: no + + # When auto-config is enabled the streams will be created and assigned + # automatically to the NUMA node where the thread resides. If cpu-affinity + # is enabled in the threading section. Then the streams will be created + # according to the number of worker threads specified in the worker-cpu-set. + # Otherwise, the streams array is used to define the streams. + # + # This option is intended primarily to support legacy configurations. + # + # This option cannot be used simultaneously with either "use-all-streams" + # or "hardware-bypass". + # + auto-config: yes + + # Enable hardware level flow bypass. + # + hardware-bypass: yes + + # Enable inline operation. When enabled traffic arriving on a given port is + # automatically forwarded out its peer port after analysis by Suricata. + # + inline: no + + # Ports indicates which Napatech ports are to be used in auto-config mode. + # these are the port IDs of the ports that will be merged prior to the + # traffic being distributed to the streams. + # + # When hardware-bypass is enabled the ports must be configured as a segment. + # specify the port(s) on which upstream and downstream traffic will arrive. + # This information is necessary for the hardware to properly process flows. + # + # When using a tap configuration one of the ports will receive inbound traffic + # for the network and the other will receive outbound traffic. The two ports on a + # given segment must reside on the same network adapter. + # + # When using a SPAN-port configuration the upstream and downstream traffic + # arrives on a single port. This is configured by setting the two sides of the + # segment to reference the same port. (e.g. 0-0 to configure a SPAN port on + # port 0). + # + # port segments are specified in the form: + # ports: [0-1,2-3,4-5,6-6,7-7] + # + # For legacy systems when hardware-bypass is disabled this can be specified in any + # of the following ways: + # + # a list of individual ports (e.g. ports: [0,1,2,3]) + # + # a range of ports (e.g. ports: [0-3]) + # + # "all" to indicate that all ports are to be merged together + # (e.g. ports: [all]) + # + # This parameter has no effect if auto-config is disabled. + # + ports: [0-1,2-3] + + # When auto-config is enabled the hashmode specifies the algorithm for + # determining to which stream a given packet is to be delivered. + # This can be any valid Napatech NTPL hashmode command. + # + # The most common hashmode commands are: hash2tuple, hash2tuplesorted, + # hash5tuple, hash5tuplesorted and roundrobin. + # + # See Napatech NTPL documentation other hashmodes and details on their use. + # + # This parameter has no effect if auto-config is disabled. + # + hashmode: hash5tuplesorted + +## +## Configure Suricata to load Suricata-Update managed rules. +## + +default-rule-path: /etc/suricata/rules + +rule-files: + - suricata.rules + +## +## Auxiliary configuration files. +## + +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config +# threshold-file: /etc/suricata/threshold.config + +## +## Include other configs +## + +# Includes: Files included here will be handled as if they were in-lined +# in this configuration file. Files with relative pathnames will be +# searched for in the same directory as this configuration file. You may +# use absolute pathnames too. +#include: +# - include1.yaml +# - include2.yaml From 330a08f01dbf51da5734b24ca6ae9b84e860e213 Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sun, 22 Mar 2026 10:50:23 +0000 Subject: [PATCH 6/7] Suricata and rules should be done, changed the --sport to dport on most of them --- DMZ.sh | 2 +- ROUTER.sh | 42 +++++++++++++++++------------------------- 2 files changed, 18 insertions(+), 26 deletions(-) diff --git a/DMZ.sh b/DMZ.sh index 75d7ede..c3db785 100644 --- a/DMZ.sh +++ b/DMZ.sh @@ -26,7 +26,7 @@ sudo systemctl enable iptables sudo iptables -F sudo ifconfig enp0s8 $ip netmask $mask25 sudo ip route add 192.168.10.0/24 via $routerIp -sudo add default gw $routerIp +sudo route add default gw $routerIp # alias dos ips sudo ip addr add $dns dev enp0s8 sudo ip addr add $mail dev enp0s8 diff --git a/ROUTER.sh b/ROUTER.sh index f398568..82a2caf 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -55,53 +55,45 @@ sudo iptables -A OUTPUT -o lo -j ACCEPT #sudo iptables -t nat -A POSTROUTING -i enp0s9 -o enp0s3 -j MASQUERADE #SUS sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL #DNS name resolution requests sent to outside servers and want a response: -sudo iptables -A INPUT -i enp0s10 -p udp --sport 53 -j ACCEPT +sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT #SSH connections to the router system that originate from the inside and want an answer: -sudo iptables -A INPUT -i enp0s9 -p tcp --sport 22 -j ACCEPT #TESTED -sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --sport 22 -j ACCEPT #TESTED +sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT +sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT #The dns server should be able to resolve names using the internet (and others???) -sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --sport 53 -j ACCEPT #NEED to test !! +sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT #The internal network should be able to send and recieve dns name resolutions to the dns server (1!) -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --sport 53 -j ACCEPT #CORRECT AND TESTED WILL ACTIVATE WHEN YOU SEND FROM ENP0S9 to ENP0S8 +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US #The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53) -sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --sport 53 -j ACCEPT #NEED to test! +sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT #SMTP connections to the smtp server and returns -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --sport 587 -j ACCEPT #TESTED +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT #sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT #POP and IMAP connections to the www server -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --sport 143 -j ACCEPT #TESTED -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --sport 110 -j ACCEPT #TESTED +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT #HTTP and HTTPS connectins -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --sport 80 -j ACCEPT #TESTED THROUGH NETCAT -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --sport 443 -j ACCEPT #TESTED THROUGH NETCAT -#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT -#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT #OpenVPN connections to the vpn-gw server -sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --sport 1194 -j ACCEPT #NEDDS testing +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT #sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT #VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore -sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT #NEDDS testing -sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT #NEDDS testing +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT #FTP da internet WORRIED ??? -sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --sport 21 -j ACCEPT #Changed sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED #SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 -sudo iptables -t nat -A PREROUTING -s $eden -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3 sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2 -sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --sport 21 -j DNAT --to-destination 192.168.10.2 -sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --sport 22 -j ACCEPT #Need to check and make diferent ip addresses -sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --sport 22 -j ACCEPT sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT #enp0s9 to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97 -sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --sport 53 -j ACCEPT #TESTED -sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 80 -j ACCEPT #TESTED -sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 443 -j ACCEPT #TESTED +sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT \ No newline at end of file From 3124e6977afc9898c2a2667966ce58353f6fdb03 Mon Sep 17 00:00:00 2001 From: jelly Tomas Date: Sun, 22 Mar 2026 13:21:05 +0000 Subject: [PATCH 7/7] First draft of relatorio --- DMZ.sh | 8 ++++---- ROUTER.sh | 2 +- relatorio.pdf | Bin 45092 -> 97834 bytes relatorio.synctex.gz | Bin 5081 -> 20136 bytes relatorio.tex | 46 +++++++++++++++++++++++++++++++++++++------ 5 files changed, 45 insertions(+), 11 deletions(-) diff --git a/DMZ.sh b/DMZ.sh index c3db785..226034c 100644 --- a/DMZ.sh +++ b/DMZ.sh @@ -7,10 +7,10 @@ routerIp=23.214.219.254 mask25=255.255.255.128 dns=23.214.219.130 -mail=23.214.219.131 -vpn_gw=23.214.219.132 -www=23.214.219.133 -smtp=23.214.219.134 +mail=23.214.219.134 +vpn_gw=23.214.219.133 +www=23.214.219.132 +smtp=23.214.219.131 dnsPort=53 mailPort=888 diff --git a/ROUTER.sh b/ROUTER.sh index 82a2caf..07b8311 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -55,7 +55,7 @@ sudo iptables -A OUTPUT -o lo -j ACCEPT #sudo iptables -t nat -A POSTROUTING -i enp0s9 -o enp0s3 -j MASQUERADE #SUS sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL #DNS name resolution requests sent to outside servers and want a response: -sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT +sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT #SSH connections to the router system that originate from the inside and want an answer: sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT diff --git a/relatorio.pdf b/relatorio.pdf index 9e9fe5fdc4d159fa98324cd696b9c746b01dee0e..8e9cd5995601d49fa94f3180defde696653e51f9 100644 GIT binary patch delta 76750 zcmbSxb9AJ^x9!Bn#I~)DZQHgvF*}n?Y$p@j=ESyb8xvbEbKm>jd;flG^;c`xsZ)EO zQ+3v=>aV+C8?@{VB9;_{J)yIZ2DqWh=di|vyzx#8?m`Sz``Clz9NMwNrBdSgvRsJ0I3N_w)!pav`e}25!oh(H1ANf?$G~~H>`JVAkh^JW zZ7O}l)TvQhNt;^bOzD7j3V2RY+s3KW?YeF2+dJfa%8H%=LZ#7JY4so^JrKRnY|pv0 zjeP)Ja&QO~{`=9r!TS#w3PUf#B}}_2;Fe3@xdj1qXc)c!MB1_Jx0Ub_#Za#21o1H4 zb8ESr;JcHTHj3ik8)g7cnt<3HPgD`LL{)4=FqAyJR@2L=~(SR?X{AYB?tE`%5Wx5oR2P!!yUW z>fLL}dEv9wx`ycT^4s3mVv9wc>& z$$4_!%?OQP;1KwAVD5tQXC=gibnPNRwRWfV`JL3A<45y*F3%q);K5(8Po(uvrkv~D zF1EN%bgUT2hAp$Tog7a7;mV}~aZ-{1-01P>3&vgkk%+!y-4NQ*UOEr}sKX z)h;-=7aI$IZ^)5!sfnr|u3(}>>A$#JKN?Y~~VZVPQh#j?c+DE4Y zFFzh$fRz)~4bje*2&YOKI(sHiqf&jZ6N{RJfMz5$0|9$@UY3LT#i6#B24)(X2gx5w zTCTnW>z(xWY4>9LS=hS^txGP1-oq(~e+PQP!*f7=pSYB<#3vA;`1bfOL&GlA+Z4FZU(}Aw* zwfUJG#)d5~o;z){njWTy)6<-}O;i-W%G+trQJ<$lA_7qUD3-r8Een?*2JrU>@00Q( zFveA@kKe0Y6#Pd7;!w+SG4?a5^atyU3G0Id7M9KWs(LI)DsNs~%Fddd^Iv8yy41;) z#c<+y#D>=@#?_0??mkJP^s2TnHOL#C^0&|0vOUWc&U&d53+zhMNDL?2--Bt7bAba? zW}bJ4m!JC~3Zt|pxykr%2es@gHhavLKy8VI>w;EzGPdvVXsmd{ap8zf1mz!Ly{jKS zGeI-+QjqdPr;SdzMR@H1!e$#0~Oj#EpUx zkK=Em+HFjYDItFuL!z_c5Hs0~+=$=f%9<*1xD2o7e{l#!dz>;8o zTQnbTxuROCn2oom%J{uShA2d_4g=^GC896_g`tc0IpKat?yRh2ACaG$LbO!hmhoLf zRJxW64%&(H^KBBHg}Aq?q_~NGP9hWXKNf3Qr*`+EOc$J`H~k)2uGUHeIsJPE3x9ky zq11|(9<9aK1m;O#sp8axFgz_`2}IzJ^ekfK^;>~m<*Y{WmrW1xyoW)QGNfC4Mq@i@ zn_K*O90aNR4I)U|mimb)p34S>(1Ibm^>ggcGT2L#Pg8u8UFhG~1a|8HkMF`9^b%2q zX&jjC@P7!!(Z?K7L?zYx6zWIE3#*(Q0L-T?G)N{O5?87Pl&q(1iGft74u%r0i%1Vzl*dm%sPh z4WfWY2gutBABV;X=g&L5Lm*B6jf#kgg52}7L4lTJWq6uN+h9uB9v;Or<2vwudG-?? z`CO$WpC79rwyPtq==$&B5WYa?^Ob(+R798Wr&0dT>lg%oBbWD`3GJ*J5-@c+bYe5w zj7NdL$9;oDhCiz=J6}J{huWK;dB7!^mGfh7xuVQ(YED?TQE90vO?sAc{xBLTVUi9IJs zh)`iC7aKI*)an5DyePQm0NG1FH^nv!n#s;wSpixN#-aWFBE2$$$_?70cn&1UuNoXubFYER$n5`@-{ok+Nf|0ZmlCktH0bAjt{RsS~2({}oy zYx4L5=caVeaV{#hH7799>(R;3c4+oo$e^m_O=coa7#5C1uwP2;EwJ`>{9?{F(1P=%}oL15l%Wmg!IVFyy60v{N z&z(o*`l}y*iT8lOy?8k)H?%3!_5ut?!l7X>+qHht4Nv4u5NgGyrFK|<)KViemH@bG zvMq*#okzehL+%g9qT%>q9sOpcc6n>~%@r!2-#B94Ri5bip{lp-gDLR2nI0D~DfYgc?m;|bmeEE$Vk`y#k2tL51T`|B8i}(({FTm-c~C?A(#e!~FHh}Tp%(T% zddV1C3hi_9IH;RYh^j9scY$>{;-6_@7cAs_)7A0xqZ|eVktE1m&|qiOeFARg?v3p@ zPY{pv>cD1w5C>MMOZ4f~7>rdIK~5{_CnjJ37_Utx&v)-_*8oI&QK)7?s3AV|B|wdc z+eGVrj2!tq|Q^ka~v__8?h26(s){GHj*zI7wfGvBE%1UM0*-ZTJq8& zh5=EwXE7^#{%dLdzAet6+wQZ9zdfVN9xYHjgf^^ii{Kd=TbKIpAnm6W6tHIYrp^g1 z;NzGqL`*~u#@4XBys(V2X7&~?mPE{)0G9u{A022KIIOWF122o2ZdhPbRX~|sOnr9Bx$nWvU zLQ}iL(otT+X?>^w>6>6!>$~y9NL9Qk%YKv~lh39*WZNY#jA$&i&FK3L!I0vw?JIvf zw2D=(8(FKOqD7-&-Nz*7RLx6CY-gR+07AIA>DAJIjIyIk6J&FL3NFlzb()Yn7nlF7 zYX(s%y-Twij{gTKpfG6wPNn}QTI z*ifJ)TJI0Jh%g&m8J1nC$AFObV*Vo0eX`k zQ(Hq4+kpAp*4fk@+8k4HWmPSyB-!~j(&DHB4pNufR{?2Z__Z%*b*rC}vHg#rK z`i{Flbp%aXB#VPZwy+syMf!fCxINLcF4bgpKfW1zIz8N;9-P3j5|bN60J-Gkf8c1a zNzbCe_arf9CWa0v(}kgt=}`77foqb+vE}(F-a`JUabO=L#YXZvwby%9b;7Pqlyg}z zY?q-WJK)3!g!2asi_Aaq?lAAy2_<{${X~~S@ylk+4V??^8#FWzZGmP#Q+ z@IRh>|E>X+Skv|y^t%J#mr4X%;@865TPz9^E#i`DXTh<)s45=c%)j3lx~s|y{?gMo zd9G%#&bn-Nov-fXgvd<6_6NH67aj3~vTfGNw>NAs#~>EQKqmQ@9H7rmR312}_7?6_ zd|BveAehh@4|Azxtx;Q>wH^+WUfwU~QGO-RnFF`A!*v+_{O#+H8e_6H8oZDi@@SgS zZXpI|&`Tm`oB?~1@eCsPG}I}c#nUkN1k*C?MX;y8&RxWdPaACoTrFr!yX^s0l}h3d zI9;UGIqqw;MDnM3#lZ7>{!<W@IHu{nBs?jov?%1JC(7@(SE^WEQK6^E`bLzFjDx?(srC=Tz{bnzj?I`#}4@7Z5diyvZG82$Q3gjhUf$y-Y zK9m?+m|=A!L}Ayx^mJR8WRx@LhPd`kXuec>H{bLvb1vwrY<)BkQ4!X%s=J4h0F(e> z*UT?GJYu$z@Nbexo1Z@RH;uGSt*z}8O*YH~v+GQXWt0}%~YirXLuRyZm!f9ElW6%im19vg^; zQkwkwl^+=xo=&N-zU?|lg^72%1p`2*=oL{MOu&^<360x(gezhDN zEDUU4R%QlPA~sg$FFybqGXo0|Co3xvJ3IRq;$q|Y8sp$(V_^Pb0&;$J*uNaVIvjv6 zLJl^-KMT{>S`Yy^{t2#%gPC0{|XWC6+3{4?Ms@2i0#Y%<;nUl8@8`Zzv#c#?<=G)-mf45U%CFz zV*ls%ro-}87c5-=yy{aR+CT_c{?*HWRRIeV6A|nGdj9q6b)kwukiG(8{~s#0dPEpl zVNe!8J&p_jM2Y3UiVT*Y|3Br!!v6ml|L3OowOU-9|G75)+v_i#|8&3f{{z1UzBVuwTDWmjju)@1j8KknK87xCMjyIVXkm~)&em>mX=SCo0=OTwThT0zL2N68MH zU+7w5pJ25>iw5;0WWw8BT*z7`$xi6m!Dm8aonYm1!pPD^=|M-zPS9WE9Dl+wSXkOf z3s#qr73WgPynh;{rT%`$rLwXBnk!rhJX2I5epc?7pYGdQIYOeoC_>&T2c z>azOrz>qvx1di7GfS4tpe2BpSE(;%d4o-tn^m!+7wWSUYEB~Ng^jQMi+N!zC!-cBZ z(!$B9?xg;8eo^^ZZ+=2&eqv;uXLw?4D`aSHxo7)w*h6f9&2vl)4d0-i zrtY`gTR)A8&v#87?8@w|c8#xrG_Wu$-pC$vEKV%Q(=4pD$V{~?OvsKuYF<9JTud}5 zDOGqBjkUWQDC-3?qeXu<|j*wdNAU@j%+P}*~=pFsbiP^Dxe|dyXnxJ;JE20tE z=6;5^f$K|x%$sonPla(@XjG+UVyHH=Fwu)v>P+P>-n^$@h0?j0z*qq;rV z-pwx34HVo`BqyhNb;W&YFeIvyfK^xTS1glPAFV-o|43EoPJwPrhYyL290jTc6RzAo zC4nNa;Dhl1T_Hi@u!hg?KH{}nISob5{GC?>hc$8htQ* zwRh+K><%&u9d~hVX_9Si${_`?qe=;3cT7EcOU_M46HHFK)g{8EBhX2j85T3Vaz^)Q zP-o$wIm7po4tzlf689qv(V6b;zrw2YD?KB@#k(6qX_|``9If2lQoi3g-g-nS^#?SG zh7MaUt1#gM3qk_t`#~K7HMmtSnmP@|oXfwL2|%r%T$-;_TTUYD#RZSLuo#l0bHq5rj>hD(u-qdjam_Fft6Xd#Pg?(G(pz0%? zzev~=D51dW_eFKQ=4I2+I* zd!QOq{idBK<;+OX@q*`36rJKJ&j4TT?}(-yMO%rDjclzwT~zyVn})M77d0g*_d?7B zDS3!@#el<(ahLr0o3lR5dMgOa$VWF4mnwJL!JJWjn6(ibxtLAy67vC4^3inHp7^p3 z$n_1;Oo6Ll;)kb<)2142aOza2?Zteq408tMz>o`^I*zG{Q{G^pKdG2kr`=f58|T4( z0g0O*;9dA5lSMZK)kTIyRYKyAuW}=Z)7c0633O&s#mqFkfr^*(_;6}%w4T0j`=psn z#?{)7faw)Q;z%({o*4eN{QU;Q%+2*5K-bo$bM@q!IrHq-bPq07%kNirq$NH)-SY7E zcv-YT6A=hay5;8NY~hk~h))+k@|s0L#-Z$Xx<7Z+mH>>5LK!rtLQ@G-ZbMK(PfgRR z%a7z4<4{?QAw!s)bFkQkD?2lMAu(QoYOBs^tnFnS)S?S^Ak*LdkG>tq9iJt01I4H) zKm$dmwB@;FEbfV{61k5$b#!iW4Vq3u<50`EdILm)lf7&p%3bOwO`!mY`-^6jGavAK z0n{nHT5=y6XxHk`p^GI6hQY9LkRe*-YP;kXg7j8)GnJBwj{){sTkbFd-yC;ETNOen zx}u(NDa9X)si*uy0Tq%puu#FGKm|S>$LUa22o&l%)oOLKfpXYN=om2bLw6=hf630R zvXgR-fhUtNju;5=nL8q?mDRl}B4sv*rxo=c#QNZ7Wob%?knp%mf*|N)li<7@PM`jo z0bBPcb~5RR23t1nE2C8q*R6_^KU37`H7YA`irQ@y@81dPzMEf<{mkY!0+vEzC$_?< zJGi+`3{Z^FvB3A*PEmNdMoBt=6WLW8&@1vu{^~2XWk+#i69~MSC_5Wj+Zo5$^sgr~ z-Io5KevPCSH45P18a9HT3xE9m&Jy2n@0Shm%6M?joOb7lt8Btxr|f59X$xj$Gr)~v zjtbSHU|rax{3LSqK!wD60LI*B%`vlL4M|^>D;M#w`ha zZ<*xSnU$uH=NeFw*+gUblatO7l})?Q1X@!N-Y|*s*J-}(dx;uZED&=UB7Ou%47U{o^VH@lCdnngcN2kWzSrhr7)`5M>*8q)4BSmdgQJ9_K*cXq>h|f ztCN?#oLz_Zd0&TEpFMnoSuL|MaurgoKFsqjq-rE6I~8^R>G9Y%wfUg@z6aU1nFGd@ zg1=%;I!QpCl!0pY4B&$AO_rNZKDR*BBb4*CcyT2H^>Y$bv{ew@Nb2*63k`~+fyzd7 z;St+KoCM0NPKxhpx@UU>Uhs5A|a|G0+65#b(+-?TqHX#384;yr$C zc8~@{lkXqw^4jUDE{VivT}|;C^w+meWYXN%{sHuFV)WMN<3N&~pR<;0Ts8Hx8rMuU zL9KvE22)nDG(Dm2i=}M&tsew?j}=g&hs2-^U7+S*5e#vOzl?lLtdyNyw_iEQA+Z?5 zqqO_`X+f9k)=hYfaF>z@$+)Z@f3Fkt^LoLKk0f|OhO_BFC)7_L>=vP7NA&T{nlspb z@M%P)5wry>sQ^b>vJ++L(n%k0g^yaMtS*xj1QEGaa3-E3 zEYo-2qcDJdT|nD=On^%I=}SAYx8k3PyquplzS?Wety)=6|PVsK%73Q+^9}!->V+<^4uHNh-)o$fU+2>elFK5kIMloe!7S6=AhqO@?x`g&IQ_clMZSSKX3$gX~%)H((@PvvW-$nTt%j7Hg=nz&KTsIUpNXcn{X6is#($L+9y z>J;fr4PlZj*ihXqJg4rK5@5OUxdTAwN1pr-f0Krdc}39F5+;Egqm1h{{k~i{#OF$K zYXd&{BCHXs+vam)&ggdvXA&AWv-OD5;-Y2WArO^h{4VdQyg0=max}tX^<8Z#VEtgJ zv)3@wL6?^Z7QyXXUar@w`M1(I~&@= zZdUUe$z6Y^&3+bgF?~K*>OjPuc)nM=sTB=4uV>5tV`RhU68$TLuz$U2Vc;N_IKC2} z;H4QvAK!I?Z+D=)?0qB%@upy6CShheC}=mW;WUIov@rT9olFo02CC|6lrd<*V-EP8 z!TusPnwYT^iRZXXC$M9gG1^^Cl=^+t<7m@-FCTA@1mVU-)RU2AI@+bdaQ|r!M4hBW zd6OlMLe(r{Z*?oCRg$WXpHQQBlNR>5D05& zR|3N%2iwpkS-yGt!%`E2c|N^fjU_PHprHPWeMYkS+w9#NoH3z5qcFsZC!tX_M-My+ zu4Ab(lwHGuZ*VBHD@HO_3+*E$v_5DV6aF+f+7ql#i{Nd1wo#3agNdm<;DUxFb2ME4dG}kVA4(FdmA4xRl#t48%y5+%q}? zWnqrVP`a}tql7mxDtMt%(m#LXJgwhHA!do@S3`FSOA`2(X%x|SL?rI?31$(^bIrPH z6OVgx;Q#0gfPi*IdSs(fK;r??8X7E)#>|m|r1w>a+Au*h?n<%s@P$@T1BPcbrJD1q zu_U6{q|G&D?zIsj9Zu0K^it(itA`Ag!p!BRUgD-<)$}QXKui5}RHImj6BmS{x#@mA zU9f01%+<)})Zn*n2zUR|yOMLq77$o!!l{N8MF^1>ySj+!Z%k3x;~~hH;%vA8oDosPvx|1FW2`%^ z&OT%i#D!8q#AREEsI;abk`y6MPtQu>(HKD;Mc!H^6uJxNXthIQ2<3qn1?iYli^S-3 zjGk7IxJfKa8z)r5NFKo1II)F7SK&wYzHX{O>-tvwLNTeK5KD9T64uTL%dq=^i>pP6 zdJTDY8yqiITv`!{l%zW0hc3Y#JN^+B_;3Y z2`^T~+zMLY=|{k;;$DMUFB=vvrPiXYii^pHUMYdFvuqEiNbtw@;V)GA ztrdyUlJ1As9yQPyz7vjOThh9oK<^>hz_vIJOeI&R)_V}3(lY^4=r4+IBxO*{^FED*>SUv$$8ZZm`B!$xtbD@0nL z_X}r)*I1W2;+U(3R{a~0f>wEv^vC4&_d;~#mA2%Fq_Lu1W+mA%aaNS3p~C(IHWbqs z5qt1D4dTFHzSxoDzhzu4F4DkJ`SMSYG>gmItLrS4Mae;xzBmyKyINQ7i3+LY(JAW> zHN1_$;Ts@k-!rQqp>@lQLKoX+GD0)HYn2~K|CJcTgBg4t3Bk2C-oJkXMCry(D6a-{ zOoAtzh<@j7_i#2OqnrgW{o>W`;F%aG!tu+uaIeUH$k)fljH|;JZkg@YNIurI7~{$B zsn0u5PptZRsgF~PW2a07ZyUlIShWv-+al-%NCZ;3@xiFNClp?ZJq>C1$!wj{|9(0Q zP&nu80K36eLMC%<)Iz8rB{7zvT@#&nA!CeCE~3aSlIs7w2`Wlmk~Nyx~S2gSSG0wFRm;8-4>} z&;Zm^mV*K57;+a=wa$@;;YW5x*(=KDFYG~6V%{XvBMuL@sj~cI01s-csJ284B0!r3IdchCJ%p;*_C|unR1J zYaPi^P8oaBO{%xdC9sXr0lJA8A5>gx0-Hpom|(I4ael|I=V)~+P;Xui(d@cDZSAzb z7}+sNo+?X{9V zHqKr-$~%}{`2c^Jq1jeLr1T2ZEjWYE==!WEQ2~W3I)rER0z0vou3!?JaaW)nNS2w> zOROF$))Oi}bmWYpy^&j{`1oaS5h83%EhJ&J!fMeSzbNvUBs}PD&-|A_?k} z8SXY;XpHRDl#-2{$h-i9EHNy@sAfG6zEgXxj5f2d=-B<7KOBn`buB48Te!u4&*5QT zhw@i0qzXcF67Q*eM{~KJN&cSXFIlh%`&B;hFA2srEG17E{EaU)75xQ#6ACsmdb9Nb zCDd%zWB!HBEp<~!MXN$TYP#S?MYD1*plsSMA`+AE>-QrV5vdr~IW@*qJB6lF(u-Bq z%UJz{>7)-W#({B6<*@9#Mb^7H0cuq2xHIXkN(FGmV9PJf^Zj~li=i%6%GG))^CWe_ z5oXO}KXKwf!Q6~mw&e}TUQ%m`9{TH{5YtI)BD^;)GVbYiJcCS}c0}%l+*ICK?S0}Y z8%jgG^_GJ*R#vqqbTi#h5(e&QaJ5LUhUXi)aE0I<{A67#2I`$97h8+Gd$k{w#KzW$ z2;rZnM}j*0Bre$?hQLOtq*?}+Rs96?ECHPBrlp@x<#43Xu$E}RA@l?JYLVya5PJYI z)jlJ$6B-t05R-|T#q8;@YESN^bOVGWU@kEB4L*o`PYsm$+SIV$m2u0={;v|(js>P} zsfKlV43WkUiuCMv_j_Ai41{#3D^DzV|J-QyvPVNtf^s6Unf*Rr_p~?J=g2c#H$-|C zcGN;7r?uFIAa`is5|i;%N0%zLbMuMWgBDTASYDTMgIjdorm=EL{naH5pFfP(Im&|9 z`@~uzE}z=_{uHT;FES$sFuTukEj@pzb~h;{zcf(% zE&3gOz8v+zO|+m(nny_%bJs9PIlw%-)!2-Bi`{G|x|XcF*g_0Wjvp)ulfS?{cmc;# z09;9v?T<*Hmp&(ltlir9qB@@A#z%MDLrKY9EyGzuq6#dGNF)xdwtx@cc(U5JrHUABfgPY{==n>8c@q@}HeUWD@IBc=x;Y_B}v zrZ#w4q5MTA?X>sX?EM`n{D((5#{5wD{q5RoxF&)(UZcK1uv;mm8KiMpF)|*`<;4pq zTe*g!f6HV1hG=zNi&k7yr0-}$?0rihwAWeg0XL<=?M`Y^F|P_<2R*-&}7 zY0&JpAt?_rsG5XbDLx6&%DB3yTHh_u{CNVe4UUdJqAou~lkqs9fQq6my*OZ5VJwv4 z?2iScbdkfsR0g@d_u)LO5v3e4{LI6ZGujc2-_qstP6lplq#D?+K3sLRi=%_~W8H~| zgLX0;x^bdT!Obt29r)Dig=Y-R6-^}REx$?v1aPDSI=T&IEYz))xeA7MxpPHew7EFM ziU;Ke> ze`JZOG!#&A_|D);Raarzl}UVcqA1UB^o@3WA5UVH9;tj;=OutSi%W(jgj#S83I&+I zB$^=n>%GKaP4?&ai<2U=9a%V_SQ5d9Lg>!d>t!@KdrIu)8Jd0*k}QMbgU>Z1HWO7 zUtNV<6RE`VGapbc8f2o8XVmt((q~&BRgI?Z&xHwbec zth3>+Kxxo)WzsYj4sO+S2u>_%6W?IWD5$toZ?lJV*b+Ynn2t_zc@S4pb&RFv&uW^9 zMQ)E_sVI_8Y=)y~)pXLg~h)y_mF{7eFPFn0L^(H%b zU@lFKEZ@!EfNp-GBQ`!yg{d?$l!^!|@#2qtC#-a-p(JsA86H-8(8O>Oe;CbEej}`T zxZJ9lJj#p?T-7(cj$p?N57TzM(kXNrdJ2hNOEHxY56dltP_#l=_dR=^RYIQ2hbw<|u6VEnql`H`(D+@xBFRuUzP310_oc7udx(2hkFP%|r`_VBTV4 zj;a#%Ggkljw}rscf`$4RHUxA2g1fng=3NVur-!7Io(K^I`ubzW zOJ$a>F|r8NB|W0*+q1LB+`nPhl)qV_@Hwj$v*Nr^_X2&Ur8LLGNZsUegc+5zKD>8;)@Qd)KP#vv{oA>1gje#mmqWE*k76=%isWY! zd|Q~z3gfyUlgy9QKaQgk#D&v~(^-*rZPg?3DmMQb9FSKpN)Z{T9+Mf-09UF3rD4bS zt3L50G0zQCHg7kVRLdVj=|<6uaN5E;fARtL6hI%TBY_=ELk5ciz0gCa1a?%XZ6#-9 zbOg^nVqP7$xZZ*L7Q_YLrD~%gHR>fsA4ZA!(Zv;PTMmC?t6Gtsg(k!lJ@E1QEprLS z%v2duAM1mmgp6f`6{ew!_<`Jq8t7B9;0w*AZQA&d;c4bkAanfjV94TWwcOQxR46y2QpanMK$2XT0#$*Qe`* zZCz04ydIso7WSe7Xembvv(Ddqo_-eNcH2?0C4@jK)Je_a7A?dXRx&lp0 zdk?u@h0Vkc!VGcTS1bs46h*Lz!aP=1-mp{17zNb#9FF1)8rK!9rvx zhHU)BW?zb?=SEcgb7gLeAg=kmAl`hz z)~V*z#__lwl`--7biY4w84M0zr2sh<-w1Sy@wd%-*r)?{!9soZmC5UqN-A~a$89`* z-SkMm`RCA6h!nGggh;l0XKUMj@BDM^D3JeN$LWee$dl48|M3L)|xrkRdA`@es82{kUPkTr3^ao}{Sl7y~tUm7bJMyUkBY-2<`aHH_k1Vi4S`wof zk{{NToL(NGl=BUvn83pQm68_0_h&j#+izul5Q1sA7~Hol>cxHhW7j{7Ox59+!=5aL zcju5-4fzbL#u|MpV35=K+x}O z?74y?R~QQrsr%_2+p10ahe-xlPtgA5fqpRhuQ zxLm2G+)A%ovx+JR@&j&^6YSvxr9XWNvr-1tTKbl=l&OZcB#7oR!fZ(AaGY_nN~#=P zi}!jB9EMoRZP|b{Rt&y@H;UAUOVjRpIQxrDvPHX0K>l~9juFdG_=Ju5$=V*<;agE> zI9Z}5prD$LLD4~K4im*}gdn1zKLVW*jK$se{X8eJ>-5YI%{mT>6TJt zMl|nnvJ7b_2qg%4-M_g505dnRl!x_@v8l80G7q{&0%>6EUG=A+nJKFje%d@UkWy7Y zA=n++bc>cx&%gd$+60e^E-)cHC<_<H>>vkkY=J;ZTgVuVeNr(AT&GU*K2*;XlTCbG=8;11E|CJ zP?o9KBT*o7g46_LqeMa0w$*2!Kiow3zFSS&w|?gKatu& zrC#jYVoAMqYt6pw@t(DK&mC7h-k5!7Y)G4j=v%-#f>&mpfo7JLQ-^Ohg{gL_lWQ~p z_$1j7?d1!~zTaPmWQqcZc!$0o$@vbkgvr1U-Yqu)pnO-U`p~lEgT$EH8N|#SfPrBA zFPpqkusVKrIy>vHIsVROji}LQF7kY%l8klTNq9-d@J5K*q;od46(z#45Pw$_ZNEG| z$XcKRTp~tIGiXqVSq&q%d8r1&_KvGr!fu~PU1s1ot{m~GmK_lsPTLFd>JWGh&39ZE z^!0b7$)zXGVhtJCKop}T+bBQLUtJ4s%_cSVGLE{AOK=6iftV=%xaoHu3QvFri*GOU zuQ=Mnuma^yTx<8tzV$R)e`lHL7%ET1V6Zc3 z!(=g;+A_XGd`M3VtBxy+95gLa>7&6iiSR4K1CSGEVXI2&IAVUsXO4)ciONXJSG)OQ zoP=4tbylwBc2jUqcS9MIx;lSK_K%nF69;@s9s*FaEj$sr=Xr*w3BIhoSNU!Q}(YLV)(7e)6GdBen6 z9&qib802o?8BOuTVh76K*K<$xn-I8mdn|rkMkE!ClauN7;2QL!r|KgsjwKQk+hI9H zaI=Qzc91;)X{fHfAQ?C|Ux`_IGO`g9xE?ai9r4$gXfa$0XFCe!fE)T|md2K)-mGb~ zBc|dCMlA80mo~%qXCeZ*N1gOz2bz-g4u<*$!?$6UPIdE4Hf_3DU1}7HNm(F$j2Qvd z<#VTmNcwLwoScMe3ZkM~q}**ZbfSuMyUc7qcrRm@B zZEvhQP4?6s+z}}xG{M8dnAX_(^4T9sz|}Q^??cyz)q(Sn-u(t zm2kqjwMLl!GeyxV(Yc?JRyHEHG)B~MQ$;v_atWxkU$Cw0JaHGtE;%pV$>X}J4D@{V zZ%!?9rfzl&=P-z6HalqW50P>eGyPR6$+Z2WyY;Ntrd3PO@iuq-heh^%iU=S{z-S~wru+8%nr6I~sLkx9|~@r6KOxD~02a zFQc<)flPe@k3Wghhgvu?diV#HNZM4!6|&(iX%lnz*~Co|sn>wQ`EOK(32wf1n~`ws z5>ns?yH@Sr<#zUW!=36R*(`>D8ER(t?JaHzj;2!$$qYGn1xa_CNngvku zAf#&z;*}nn70S95s=vV$YwjkaC3UR4i6|KA4p$K;IcM!alPm`4mfPyd`?*z;Pb_OF zW8HH8e*iu}!M_~2WGTkuF2o6YgAqF=uw^&NsT&Y3D&o6Rz-(W8UVozap7?0vc>2GY z;Sll1y9S2ewZA9kW9ZTc<)delh?S_t>cRs?&ggPCQhv6nfjiPNWNj6nFA!?4zw_kt z`A0z#u`Q50wBMdtbGh36J0)p?%=iZI_&9Iy34`?cZ*M$g_mHhRbr*fT8#&F$5`mt+ zhb0w?#FA;!?58I8iL z4PXgQuAd-r*m2=Of94@ou{TQ^-FZCf{KIztY$xKfYAK>ny`;lA^ayXAk@G>;=v+`z za!&GhSb5S^qC%@cP*Pp%;_=BYL#JV!4bYsr@J^frlz+Eu6-{Xo#?DP4UTi}?C3 z*@EJRuzyI(aYny&7dNUo9zyF*&Kh0Wbz($=S-_Mqwv^Z0&SZ~d6Omz7rVtGBL7x(S zKw0*s(lbZO-MkuQm5WhJvDyHcj9tr`?`|os>|DLf-M<{zM^vO$rUVm%`68U^D}c_d znHp#pI5cSCxx(o$!5ls)!q1Af*@Y%Q*QZRpXMZ}m>0;FHX18kx%FN7;eWl!Tt*7l+ z^{x1|5%&V(45Q2P_HC}cw<3HKP2Jde%-70s{br(kzuJ44E0px5(zQTsgbh;$Tc+oy z9NZ6i2n6$5KS>NOcAVi@8d0&$&Ll)#RBTSjqN1rEZ)3lL@YEa5C`mg1gl7>5F1+9# zHGk_^Uxb1ikuoOuQ{Vd_J~1K+%sZ(}*SyO8NS3c2fCPQNGr+|sl~4e+1}S3G+v}gR z_v@6GSKn)*#DUbKid|iS3A^#YgO9t{hm#^@0`cm5Ba@gNih^o@nh}g%yT~)mu^G0|G&Qba=QYp`lY^A&o)|uk%(A@CljE-@360W`DAm zGv;Ja(k!V`qL79@NAg;o=P20(fppVI4djSCz*C0$`Gyurkw$qwfS|O=*n)N37TYx0 z`tUgom!20n8Q+HFlPG%4t=tzAW`Hal;lBvC_lyYLMhRo1JdG)sIjxhEu0(bvua(ci z{ZYuc7s~{)1fiX7ts#E9c)$maFn_r5r2&^rs~UV7+E(9sVb2dX`6*w}L0Z5L$<4WJzR*fMgjw$|CBP~}x z;OGyfM@Y6HwdGvL~^(J)cNPVY|+TLp&&ttzc|O+<~`JL)Oy z6(B~4b^EE#Q(2(@_~Oiv=48)QLW|Hf3$;u%CpSN2>m}VWz@R{&y+c#yx~;pdnsoCl zDbxCqmAHmq7Nz{G*Ysk0O7qwQepVsC`R>%^-?dQGAz8$A4WK=~N`KgsPEzG5_2gQa zdFMrAHDNY=RY@R80t8Dj9OMH)1ihpVEq|4|w+=ILp8RCG+7r}ms>!j~c)j^LMC3E} z@__foDAtf*O+G~={;HU1H

cOd>l=fgr?KQ0=E-Bn!Otk9q+sIB5iNz*?5Z5(xMd ztJ@O=Pv#*YYC{C@IDhnSNyyHCVb7OoA~{WE7&E<t zV1tx|4`FAFAgOfL40C|dNwd>Yg(1M^6tx-=9x%2^H0YsXvqasz9FZe(18&6LhZ?Qh zTmBq4hNh|cU{~a@HUif_I@n zf~^Z#uII?TKv}4N4qrOK?3#W(qUP(s18=Tasz3yQV0pq*Ucu0JA75+O)0}C%Rfy1z)G>x$qn+)*E?)J zDgL8xT7rl7(iK=;q-iE1!~N)Cbiq3nnRrT_r=uo2umRX%kboGP7?6@`8N(*^lJ(Wl zCsh?`V-y#t1gdk)eD7mx*z8EC$wDVMQB-S*Sbqb8<6K{Dk>BG^4jhHoq9q>nb%+oy zW>H8*n--l(0UL*-(VN-l8J|@*MhDLtcJUY376(`4zMwk<6A!-k0YMJ7_dyxXYrLqWqJ^^Pbu3}4#{Af0X=K+@~F->DdRrB!S` zM;JL>JQ)4@8Na=fzFIePtHaFUsuU4D*NY{13Fs{c4^&||4)8`+yMruMhA3ph=0h(O zQJ&P(`C@#;9iptSYonjk8h?qsNN~PC&3Lhho`e@Xv(NxBM-D!*k`m+!gZK3pz?Ro< z1>UGIo^_o#u<;U`svv+VMXCVL&uq4u`Z@DL9I8N-J5G4td&o%3ZMaMeS;Rolhi>Qi zwuBP(0xTIQ7+`*PB=@rLEzgykK6fNB(Xh&kIyiWisSZ|!TCZ${(tnX+`O?H$?A0Tw zK`{`F#1WdvXJ+yxif&$s2;o#l|%kc)s4;e)K3YgY6WtXepz4M zY>y=cFz>#NY5k3?sw+ROarDOwk!;7$^JaJ5pijqgmXFUDn4R$lY5nT+SaOK0^IOgq z(3vYB(EM9w1gWM-u79KcPU&mTk5qN@l^zSRa7i$%|CFuuT`m8WE>1dPnwGwqC|}ij zF1smqA3vZBHhC=ivU*J)iW3Y{F9BS_m8olV>8W32{_bHC=`|dm6#I-r6Gw zuiUXK#UgMNQbiyHYC$)Jik!C!VXdmd>F2%;@iH#G@~l#uqJK5O!lf}+a<3{4zv+P= zPYRCVMqDy5kBu{OM(59qfa_MWwXTA#%(KIJP2M%An;+NOQp1{}F~JW22|U;+WgH|8 zvS=NG3vTs*5%^dihInQ=`BoQX_Mqi~1dyGr3sBj!suc1q;^?JYis2W0!;#g2k#cxX zo_H9A`Q(S7h<|d)6_x)#f?=o6-URK_4- z7xMV|f&AExd=6&gbJAIK$bMPzoukr2<+a`?zPk6M{JrT9IHH7r&l=t%GuqLEwIjV8 zHp>(l;Ke*f(bsOd45WFYt0txB9u-zTAN8;=7$ChrG=BQ{ZZe42q7epC~$fGwOH z0RZQ$8h_>Q-}?Yy(9GBNf^28U%DLVF`1fJGlfV@_)Udoj+Nx=3BX#Bs>Rm2 zz&QX9aFLImH7P16M6=X zl3pduPH%!$`rFB7Z_%&u?4F(iJU(f|+vNOvLVst5|EVPApGh2ev}pX-iDFu)sc3)P z$^AfaedDWt<+qwjIRJDfoQW$&BBQvFY)5)3YYmnL}g&=@8C+?Df4n35auD^>w<7|go5T)n&{Me6Z~ z`FP3?sWXt(+pvsrJ!Et@PS53X04#1E?U1&z{-%J7 z!@l*^TR!&}S3gA&w00u;@U3(S5GSqr86 zPhU<9D;`UE?Fdh>Xm@QKI4$nFWQpf&RO>>AeD%wukYa+kq+LO|Ycz4{0j`vN&wmq^ z(n>dXqRy~F$2=F}W6%ag9}HC+B41M}I#6ZZY-^;zAa_Ec#nbFzwyz0^)Vd;YKOz}H@IH^ zty|D^Mf}Er(1OLvolY~Lcl#6Ka}f5(XELgm1pUgIiKESkpy4JLul)0w(SNgF$T<=% z@ufyR^v`$A!}V-&*9{x_qr=3$SJ1E#4mwO>L?Kr7YF#eX^i^P)YLF82n!}?AdRrR& z0GpN1_r5r{C#2U|c4GgqhYA)#o03_MnfO9f&CDuF54BnlzE!EkjkOM{Frw6rI$2=< zAc}Js{t>kgG%4WGu`&#ou77OL-?+7xTN5tOfwDvnmw+G~n$(88ZNnVeE^s2I%w|mX z4}fx3aut2I6&5G@2cTxQcX!BivPpWsKZ|&6fRilr1_^w3asw!!O>$RS7n*$i8+3!Hc8X3=3T)CVCfW& z2g?HBVd!ciPft|hUxd+^wz0wq5x;9tuqfgu;BJiIuxe_4Djkf|gH!ceajO$VvfYjy zME-LQnfianNBqPtWPgtP359u&O!u9>dxbG~Ibysk$)G3=3OCPY*!_y=TD(yC&hT4> zO{^4cjW_dSgFxb8Dvh+~$Ec62DP*)B9MftkdzYW+l+qZy!l4PHaeq+B;Pg;AM(lG)6%0S> zu7b{70xZV@Dc#@Q(21*Rnj2nyw+R>1mjN;|Zq+|uCmyy;_4)d7^01VVl|=37T;2$6 zE#I{w3ei98e*wDPd4d7bp{H=(7+8yrI%=tH#C?^(CUPw>VG>BOGOjU0Gn4Is_oahG z?&!WDH<%yAd4KyK0U9jj)6RZ)aJl*Gl!oZPmfm5Ow@b5hn@f(U>B;D6Cxu`b-)PJy zM&;*jr-(P*FK>Y7NwQ~Lsh(g#+RzBY;mJ*SFo+lbr(*S%XwR&8O`O$uLjE(sF*LXs zJXNNBYTjWb1qjV_0SCdM^+Fwa_a_1EM<)`!_z(a){J7JQ!` zvkKIFvzai(8a_Mw>k3SvQ>;x?EmL=sP zG_IpcrbvHknoQX!$GbJlmr`f;9cx z3jdZMq6O`WJ;V@#TVrPUGUJl@WKeEH7f3!fJL`r$W_spUk$sSI2?Tr9O@~$Cyfl{L z>w(CE$@fHDZ6)o)=cmyYifZD@|LNCOC$qO&3V*Yi)9W&YUp)4AIfY)Q!oEk~vK09i zI`xT_%a(yQdX|9a!!UtoohKz3&hf{M8;4o!DG+4?&q2RtCmh$-;cPWbZDVjb>kZ#fFYk7pdcGO{s- zsqT&G{9|sxk@fgWeRgZ|<5`vb5Qz201%DDu1}DY;5F?ImFW6(p{=9vEN^@xZBAH5A zTkG#BDbL4nr4uPQHd)Si3pABuFBB8B#I4bY?yKV0rPVL-q*T{m)@1w4|)?PwW_o3nlIa47Q2vEONDSzX5 zYLS$V2I=i2NwVn!9PUsjQn7Vqvao`9I=CsFplwx7_!sbR2+ElM=8cNd;}y$H+^mbL zM#{b-I1m-k#n+f3LYk~%JVX9c>F7gXNm?WSvKo^%rC>&^NlkaT73Dc34!;#yJXP9^ zMp<%{xMw^dtT1W)(t`lgs%>j4$$!6+fHjmx|H~P&I8l3R6UK;OUSmOSLdS+}(50wh zs*O{WaC*tvFIF{uNJ}#$h6U6`Ku8f0;#U-F8wCm35I*@brdXX{7J1g2L42lF->9D_ zs6(>=OvK$nm5_S#0ZUZyDxBU{_EnRXr<7<9^1^n>fXOQ3AueOXm5@R!)_-&RKVJFT zK8RCz2{Wb*wnp*=U-qQ~yPy8F-@Ra8s}THsxtymbWS8cNpo9CRdkth?01~}exE+iU zGI9K&)8blMi)+~!^kg}rs?%cxmkbWq8QtDbh+Vu~r`lr4?UKA|u$u#@yvyB8NV(JB zNTK*i1M7^PCXy0}+Yr8b?|&S>C&yU3M<5DeR!LEEUi)wSa^AM_R7nP3FZ^2%no3OY zQm+GKras!cwF=qdR!NEHwY2p4MFc$o`CIdYuQ+v5N>5%gp7ff0zZKo*-szZVqswnQ zMVD*omDw}a|FyQu+)iN4P0C7EoXXkfVzPdEFD@>rtuqAj?9$e(X@4i|@gy9f_I06T z$e+*3f~Znjui>K`su#B6U==YV+u1}G<$?+*PscK>b;RFQ#Vp3;aPtvEnzAC0f%i+o zMu~u~n~JRabv^=4B1YfH zHO9eB9=XCnp<8m`WlgF@IOVQt9X-2Vz~nCgl}2Eh2cC$gcNL=aW>S)+V>3GcS6unlEVJ%p zAS-ri@e0+ek>!xa21j9Jm;jv4$))u2SU+PSkst@Vf8i2HLQYS zJMWr_P{Zgp6MsYj?5@gBI>@3E8%8Tdd_`K+*mhDiJO7%8#8X~C3xAw#`M9-FJ|d>s+y=S=0m zE~&JpGk+17!;!g2bT73Dm=x=tYqA1A8rKA4``JiBfA)Hv{0hTUC$i!w=5wK-S~tnh z-i?YE6#`*7=bk~DTY3xuc%wm~)Hn_FH5GgBzYfw#SbIN}lWc(uriAg31P%LEQFivr z(RW9Z8Qk*O&t`Qyf|rkO8^D}Ap0%6`=Q%pMu75Fm<#V65IL~ZJeGMLU+6~r7r)0U? zU^le5qi}7<91b}H$)GQ@2Z`X5GxBc0N3mcOCsPTk_X!(_FRh3szIVf4#AVkdB07=l zD7Br1N!Gq1t{V4bZVFop3PH?`99#eVH+V=1E$qvk7j&vsN%f>AOV~|+zOjadJq5RU z)_==9<5kjP+Z{GOwcF32>e=Pkk^6dK61Yw(z_f}{TkGiyofR*PZp?WhZ zN$jh1Z1+osiFHp6@!}$-{~{Qhg?KLJ8Gl~(?K@~Ns2I#tUX4ralZIaS<4eN0${y6xRu_sIw@Y9)p(0$-QeP7s*bmx&w`n4Ap%zoM;qjz zuH#d^o}lAPIV@md{S)ZUD%90ydB|r7t@1f&Ms(-qTuAL~+i!ghB92~kI;HG|h=RDv!HrQu&Qc6;2t*5)CZ72$` zB{jj+*O0s*$8T|byCOJcL?YM7h7>cEH@=I;7ykWi@~sb#1TihttS6lIrFWBJ}I>^bC~%>M(Sz zT56s~tbTxTeTR)5@7HNrnaiG7oqy?6yss%H zBk4No0gLYkN*CGUs^LQ%QBpAWP2yZW#kyRQ?`5ZkXPo<75a#pTC;@u$-HVYSRum<+ zbY>Vbd(Nvvc4S8Jo~B_p!jt~wVq}b_lrX#})ClO1(O4_?u}Quyzm{WT^@HsGd>_%h z=+-JXLs^AnCV(u{*D&y^7k>nCGGRa$C6uVz^><0BCE&G`N|TWim#cYI6Cm$T>2K;n z$3Oyt0$jfX^R1Z8ddr?|6p91XL2;C+1MdgOo3OlvrUTGY^~DlWQ>N;j3SKWO#6%~Y zS>hu9_H^wMCLKJ;Lm4sHKZuCl3toxbV#_&;0v!KWl*&#-X}&FeYrw)7UEk=?qDoce*_RUVNx9*x)%?|X-D`oDau(P)+{ zOoLF}|7>3{Ro+erB|ga_0nwL3hLL=Ds|1HY<=bUfr@gnGtgf~ttovJ zM&^=gpG$9wUOIF%SP|lsx|cid5IsV3flxB8-}Az=z`5t$9e@6k&PVArxYId4G5EU4+M zq_D?&W<;RKv41Jn?{#)eQdubpM~h;hU=p%H;)U^vR`%^#3Ip!^x5W}8E)E%^M^g|u zc(FpPI&)*(V1YS;Ps-^d&r;ij*~Sf!+}g;u})-V+HPLgQpZ zSM6G1o65Tm_j^6NbNk zaVP$pf`0}DXKsc#A%P|w>cqhm{iZ<6FmxmcR`d$k>;6)rlSTkh+F8*lJ?ph0o_%6{ z3azhFp-r{n&7L65ENLz9ZJ|hiyh^dbg0MU}!L*FLwXqc8tZt+be#mhFL*kk+8!X*C zS(o`~do=iOh!am%0`;szFb^=lS1QIPX9~ObIkiz#u0l+2N`!nP6yr(1>|li+LUc zET-Tkg#y|;8KuuEQT7>u(xo}1RcoJ3Wk^+&a&5jz1o{h*t#R9lE9;^VFiW+hR_ghC zhkwfsv9=%$plvf-6=lrmudu(4PY_Z%=l0s~r7);9N1Z>%Vl|1PvTw7M7o$s3Lw2a_ zT%Tc9Q@?hu71-hy^qiTNt?lGKM|gA*^bq!l4@}O&s{kJZ;i~*~N`0$oi47G~S#zF) z&J-}?=us}J-+G!IA(do+9K{>p>E<&?dVdl0Ke_u0R+j79bWU4#?t|`k_`hfdsThxRPRP5u`J+}8Ur*1qT zkq(7jw>WI!w&*t|tsqn7aU6oHQRshhc2gLxG6{x4W9**B+QF`prac0?lYfdI@P8X) zWC}U4{I|N14iV?_#+NQ3lTQX#BR_CVRvqB1s%uSx<_pGh4@C?1ZT3ucEV^;EbGpeo zpIzd3+J+6m7uKjnPN5z2qlId}dJ@HjAYF`R|JV9%L#reu4DdV@j8~&wwmZl^L-yb~ zMZxU2k`B=&*u_;!MS*V-!E(q+o_~o}!L7-dDNttBG)ab_`QJeLGjBj_$s7cS5$^;J z*ltpBYG^kn73$a6R9q48VMD5r(lzz2$G@?&U>60DFjZ>uk6Z9duUspXD{`k&^u@=@ zA{Ir?!WT^rWFiq8xE)N3T5h>h2q3LyAk(%F8Vd@nr*w2MU2ZsLH1R2RUVkKox=;rs z*hQ zYlQM82a7u7r_qK3Me%Kx-0&B7#cxy(_0qDln3B}#AOAxJMM|;F|95Zr)H`qddtY6> z&=&AMVSlj(PX`#KF4YJ`i+__?C&2iemso5!@NDEIB@QEgqP*UI>Y+6ktRsLbfI6>; zF;Svu>(g(`G^9rmgln#J{aM!oVv`+#l}9Qz-Y<*&E7zM+_-N8DdefzIn?&-h6TisrHyP-%sIjt%`au`O3tVhMxCJH3r{(k z^5G3CYC#?klY+jfg?}gJhD#23%~eHjj*^pEGI^$kO==;tx934P;E6*%6A6kepx?=G zUD)ish zGZ|G~1s=X2$*((N81mSr~@eN~P zREa=fD&VSmD5P3EQpECn8oH5D7&S&+x6k3xgm*@Utbj@ikR2j|l5*@+aZEpYY!oPUEj12c~zS;$0}a7%?sK3@*fip=$5VHm|JUe(i5QlOl8qY1swBHRyi{4)@|Ve~i6 z1A{|Wrf?Avgf*Wl;j*{`PWhb;6RKTG#d$PSNg2@JI2Tq6JZPgtX4SzVkmlhKWWl6OVG8t=Y?fquxBvkh% z*Lj4gwM@HImZY^`l@%BT^6&ZpG}#m1^LAs#Q*`%->hsT}OMg++QBBgQJM?M>2=Pg<^RZMQ^evt`w7F{x6Wm&44XSCEEVdP^>(S?JRp|1`JMoC076ew-_K=f7Jf75wb|7_8onS89cndsr|mT- zIIVb*j_d1OF}g_8c2U#8P)?v|_zV~^0)G_>m{n|s>>9Fsr46}GQ~sriCu(#gSVp7A z!w7(Lm{%ap0=eMQ1bN_1z}7E_HNh;h=l?+G20BnY-1!~!U{wdR9pS7v)4oK1vN9Yj z@jLl(7*>_QcDzvIlW6cgfS84TxGxdwWgyZt(5E33ulI&dp#-WZIEC;pTJvoqZMhiDF#DU>k)+>nN^v>3sxog6yyl}%c&?=@CF zg>YtIi#0%(B^KzO^NFggbN^WSNPqV7SLqJ8Ys;R@GWi-h%%bv3aU?wK*&W5MPJVZr z38#;W`p%gD%GZ`N@D)pMk+Qn*0iTyOW{>R9WjQm(Q;0P}Xg=^oY&s2e=V!= zS(RPgG=8{3OB;WJ3^-yQ(!V;POFHMDv&!j7+XkLnwpRm4hchnmZdIi zHP=J&o>6)+Oa zkHR`_^U&vgka0$8-PE0hS|bUJ}q2n?>Bg8N%Uf;Sz*a%TZ)$*>H3*2 zn^b+tXy{wY0c+S1kb5TuWY^<9l}anW%HWNHDYD3TsyHR8bZi8WF-Eu~XkR4=3%$uS zO<0Ez`AN%@e$(Ebk5@Otd>j&1BLu{uia>kF>c}E_dwp@*=BDo*Bee`GF+KH&uRQMr zLe8V}+v^5zl*X?i5P!`+Fh?HN9x>AWG2QR}g-csxO3SeK;6Mo(u$xJs z0VvC$qADdG(ZBzGE5*~x+?z3+uq}}-0Ch(pRm?fU8O<+c?Mlw56h@t)oEy|3%)C>x z=tjrw{py~zIX*f|+LX&rzc|p^?Io9rIj8PZHJb0^^dOGXC4ZBZ`TY02h0drbLZ2%< zLVsl?D>dn1NkQ<=o&`Ck+92s{Sl+lss%Rw3RS2OM&ONIqjTZ00wT8XL$HD`axM7rpBkT0K&0|Xs#<#xYN>|CP5;Ec zrADSE$qC9gteW*nz-rs~;A<$#lx!TTYmFSQ-2x4JCY}sH(fZkb>4Z}`1AdgOiAQvM z?G;6xVt;y`WuY=VsTIKr2*)YOkoZ+y-N!GUHdCa#!j!yzKJi}sY4V<*CF|{mvB(Eq z6C}dFM@!)}6Z$G2PQmT%in5;+x19S62NLSZ_|cW!u7jk&4nMz=P)jLxXDVqsn# zLL7Kv#^D_~LI|EAj`8{fBSR6U!?m!IKAe%FrGJ1+XA?Rk`j{Lg66NhjYSCcPTu?+{ znAz-il!we|7Xm!#&aYw8m*<>*nqgmXK%(1#^=u82KA4vQh9wc0QF~p14t@m#rN%Rs zLdur|SNo!g_5?f)DRHXT?}692a)PdwOhqW^+O--q>L~3=rH3V8my&EqK7!RNw()%? z=6|;bN(_R8NW00I&gJLeZC`iw&gl7=)aHO@*}65`G*e1$0-8ZiEjaO`LR$#Xa@=); zv)WDolscM-;K;zP>+5EZ9*J)so*qwVInNMvEooW8HV}-FUT9v2A`!iIS1Y|nO%LUM z?%{(tXmbXvL^>FlEB%nhhqu))MSL6eOr@f5-Q zjRjeWhmGQu|Z|C zbh#0V86>Z7D}vzBfOmV2I3@MYZBVc8dfBdEC@q)&F;6G+i*U$(TmE7o1b^sj7nip9 z9I$rOh8~4#-HH5>qa7*V06Wd;H~doMN~_)sV8Op_**U3CQ9aD1Kl(3(Ia~D1U&-Ep zqY5$U(mnx?+>1!870}uUykJ0tEn~qZ9pvsX*X+`|?M(3BaH?-q`J@aChyYwSRUckDcZ&+bGdRzM@G>Id>yn%Y>hwC#kQLC11Y+*O_~J z*x=Tu3~-!4&c*jc67rQSJJ7_|V2^An%nTDR_~;d6G${s&DH5wS^Vg$?KDX7JZBqqH z$Fwv`l@Z$GB+B?@UI;Q^^HHh@k`SLPYd%KLYvX_N8wS(_I7C^5)j6)EVqJobU?YCQ$QHy zi5qqYx>Z?6A_|TjoMCQ8Wxsox$c)w`M)#`O8Bj<)djFXMIWPRD!>Q}VD!HE$6NhP;fWS48d_OD; zZ>qrJPCjw?4(i}Esjwb*v^Jn@X-NJh z!GXVOLdHQ`)roG-yadUE4$VbJc>za`pfo_oJzS5?Ulq*$wp<5K5 z-y5)ti>X#DY!s4sHG$f`K4yxKa6T7J=lY8^8fmzUv)1fr5wXunl%nr84_f=S%Hq6i zELSBPIlKvc*m}u%o+7_0i_}d;@eDy!W@b%osu|$CB7gi!*Ix(1@)$=xGD<&mi5f2? z<>kX_QZ!Fi7X@q`DQ|WWlM^G`9{+6iePQrg0J3%P({Mk2fv?HuDzk4L#q-ftiYiWa z0@{@z^&X@G45AzJQ+HBRr+D~V=cR)ysi|wHuXvc6;+nuRE9u)uI5|yVj^h6su+E}* z_{|{^qJJyJU>B`}pdXg*VapueMWRJk&dD<4(Id(tSrcIETbtLkzm+`1jxqRxJM}70 z$Q>vq+p8Y|yYGV0q&&Q^guZdub8+R{G#^6zDw|2o${f=tOnf=unkWx70@JNeAzq97 zOwCd7{?61pHJx(Fy@f{O=bJ8J^)Ea(IvWOMgnzy_c9mNDaV?S30ubOMD?(b^-?H;k zosNs0Owx^1wZ^cOP8D$|zRTQ>Bnh&B4x^M)-6is}0g0fMQae9H+~fXECe zMU33J>y^nDcDNRT&SMY4`BlXLt(6A0AYn+%4e)3^?{flj;OP(&bNBtRHqIBrB(^^g za(|x)HZiV|iw6Ekw$j;t9Bz8ErtB#|^K>s#JFlW*YcPN6{?!hgakbFEE$28F887_Q*R@2BmxC0SHnt#l~6 zRsffO%VEx`eabs#p!J()2?mUv)vaUaHc=j-dl08QpQI;8okgH^6luuK{k};%f>mNj zK6}aAd1O8IFphAAJ3zXPC3~m9P2?{9jYwyFiN;+Zc2Jto><(5Vx{_+$llViK6o0q& z#}#klnGvN@ugN|&Y3@bYyqbzxD)-_Y08Re@my=5m=2D&Gj0>nDPTw7*G)uzLgFY_> z%CRXRryxR9wA=jlwmCggghNIX&XSqTNXv5 zt91eZXpi0%Lib&KAZ{%OfkHejU?Eo5o!U=mmK18aVHmh1z`5GP_}l)Urg? z!U@w}kPBO-f-X=gD8szvg?}EhIz9A{m2i4-;9JYQ8*sSyip6S4CM8;{+3Ub0JsjWm z{TvI>-k(~&b+1*4u>Wv>@`$5n#^DFs9+1CP=;eJCqe5k$MsUUq6S7<}Q0w4eY6DP^ zzE>U})31m`&hK>M-@+;(Po{yi5P$@JG0@Frp1Q0ho~t|eW`uw%W`Bo-#ikYP4QvRg z4W_s{5Vjj)4-^&-$;Vh2f5;`2$=mUqTXLnr0JbxnVL09zsCwuqf9Vwqf6TbLT~((KQX z55B?DGiIoGKfbrQk7QN*olfUQB+Iu0825v<{)^JVG}V?vOZCg96^^`WGOpFqD>tM%CBm34eH;JTf_CJJGd;TK~sC4b|UqRn?)5#%<{_ zJZ!pF#qyxeCVzRo*CPUgEi(-M>+8oWst!W_NyDdoUJ^v=+&@ofsZm_Nl=U%C*6Ax) z80iezr9A`RM_La<9y*wfld#1YV7J#lvntoxU^XK0UV9?yCB=?u*+ZWad$aL#Zmm** zqnf8H@Obbgx^_Y4TYw{U%072}`04ucY9@DbgM)1)B7gjt7(lmvbF!!-1f@_aS1Sf% zhK#d8V^Yk&lWq|nN$B47RY|TCl!CLpMAtc`ADCrpDa|Fl??VoU1o}8L&vT2ySy@Jb zP*Y=gjn)<8YONz1Bq&!o~HK{!-ZC(EE_y{SYa-u>Fp~ zD|&QYu76lZJNa+j`ZYqFdR#aQqP&a1+XQcLc8A>;i+bm97dy>VyElB24rVU7eC9(k zpICzKJ$P}{`}Bq&gdOJL>D*rF?_UT6RfAKTJFC(`5rPoS&nZELc;o7}FCFgWi&84E zyQkvRkGXiR-Qt(>ZWEetkbAq;Oi_xo--cKC27i5$hVEa-^T511E6%IAZDy25iW zC4c&j#5iR#@;Q2PZG`VJK|Z;dlqE&!hn#keO^4!wiqKG+$t$1YW$e0r%y4PkiWNuK zCLCn>Ij0ZZFn*n?mW|w1NF&CllrL(HVhy@7Y*K8;L_%k(((#A~q!VpGJ7FL7#|SpD zcz{hwJ=MS6sTa!(lZSdeVayquQ;^=i?0?)-$xgC}Xt4c0&(;-?^@8w9{N9ezl~hgQ z;4RHfPl0zw4s&Zt@@?YeBd+=i!j?gkmnHZ5-UWUxzu?;dvZi*fHFIFo@vwjd_m1gb1Xixnc@yx=pimA*#I03>eft zW`^%_C2lY}(MF|oo>EBY4N?2lOn)1;;Nrg&U!Tz$0yZ?P6A2~`>gD}Ksr2J!)r|1G zY2EJW_c$Q+z00i!by=WqbOZ;VO8mcfr48(8Wf~&iqSotke|byF=Gr9&K`o_Okl4@X zus4TleZXwYd5)6K>H-9c}?#kwm zQCi-8o{(96C=9dZ1C_?1j2tBs2`xP{T)kspBw^RE8QZq44rii?Jrmo>#I{kfF_TP; ziEZ0z+uDbtKSDouzQJNx68dTy%_+@{kn~Q~s$5K&RW6)Y| zN*sjR7GS~FQOZ}Bnq$*GrkSMkv;}d;OCUTuZ#m0~`G3Uj+&RlcJ*Vy(zm-6_PumNL z`pwYOtmj*YSiZ|nm7JIkfIZVvPy<|}4H_vt(JQpFOH1Xrs^nj%6U@Oar-qTraEe>P zkLorUi@P6_^RNt6@inB#o1qVnmsz zW&#KBMl`MNa{j1j1;#2;!>^U;-A`yJXbqIR?g*@mcSyn22(O>F-b+H%V4EY;)Gr9Muzpvx1)INba49fAaNO!+6UoQUWQ1R6wdAHIO<;1Ed8q1Q{B+IGccef{Z{$CdL-l z)`lP>3r8at8&hi&caV{twVmx}Yhz;wG6tD|Of1aIoms3+L7yH(Lnm{PiGz!wHOLfX zs&Dc6`5alengIWan|}Hb|I?d+%t7WJ_U0zGAPbNs$O>c)vH{tGY%Od}{u8!!vH5A@ z=wxAL3$g>*{ddhCWN+wbVry+;>ipl4<9|*HvNv(GurmfZfE-**oSZG}K1Gafwx1I_ zXA|R}*8e@`e`fUm9Xo=YKu#t$7XRIXlZmT|?SIbbWa0ilo%QGC$A8VEG6i{>INE(K z(IbE)>};JSEUZn){>PQ4^uOhK|F?Vbf6MdOxY@q^-;TUblOsDf>;E(T-}XEIU?hjPiK>{b(=o zDlI*{Lnd{Kscy+4Q&cfT`%=#VBeS@~%TdM3egh%)DRd6j)f#?e`PRVbTWw%`%6q*u(MGfxQPNheA<3>kz9Vk$Xz|dqdonjV@L)jru$E^ z*%_1|p|K%sV}xHuP*N*P5E+~FVrQq{h=liXCN4bQZ{V`NWP?{-UfNH89HF2!fb$0Y zh_VKEl$gK~N_&W+k(dX==EFprTG|0b6mGP+`BrY&*_xZ1*$9@n*_L@y5oe|#SA~EH z959nC%&BQ?bA-oS6Ti0K$d?!Mcw6*fB{*b-omdR6rW3XjF+yFfT?EDubuON64%J-H zyb$ZPkSck`;0X6ZE1gj$AM9DMuRh#hI1-5;AulU0u|i}kf*H|2ewWJt#@i@dH5Vy+ZdXIGqy2)wY@Yuk^qA@r1qQsOlo*IFy4l% zadZ9Y459fkP5F=1a6MM@Q~NtRF#uzJatie!>GP9JGHdvy*^Bkfr&+DR)wV(JgPh}6 zdGQjdO>)a3NAXesk&d6zPhh1ja`WSN3S8)^j(xGLtj!s9IzYGzaIie?efXR8RhkZg8P6T+dnf|RTov+mQL;W zN+q$r3F6KEt^o)GgFOS7D%M)S5u$0G)cgHwOb+_t1#j}lRYDC{t=Ge2>H0(9v;24k zfC_%MK_~+GxM6VZdXb9=rSQRV)G|giMsopZybDgg{AKz072e62N>h*s~g^x z<=>LJKVsL1V2sbM8v9=kTev$b{nOW8*cadRm612~TNz<9^~-@jwbL)Wa4V^u zv7C^Ie3Tq7`i{Tip@xXfOW+*8R6kl-zsHrnRol;#X=mkRU>?S*kG0}*+C`cjY~!wl5Ul|EIaq z-}a!*1rERcy%N05oZRia9SrA4c}Lthf%$CW{oaGq!DxU{V9U$k1i19kO}73BzQ{g( z558z${J`Z|*FD>C>pItO)?9yadd2NHaDDzy^N!omcz8|wK6#eb#Le3gJNVb?MS$RA zOHjX0D2s0j%GY9jA_%lt!_u_VA%V9MZRi$2dd$D47oT95BSbpyq2N7Wz#&J?VWe5` z{BUhYQ zn0q8KY&RBsXU=Vx4?7pBO198_LCJ}Jlv{2e-S5pfl%ro4$Hkwo0s1L66$O`+Ty42X z6xa5ey0b^tYr^4|V`kstnEpyI^lsdNkshc;12t^?yfqQLLW?h4Ld#tC4*~qM_^Ro4 zK|)c)1zJ8_s7E}li+9|}(=ES(3!?VSU9oLD_dik`F0J693qDBE|V%*-#wK z^p<_IgEN3@NJ2?{G&je4`5D$5IFRx?7reTt zfLh(RLoi6SL#sd~#hioHau@7i+6i{beCzp6`mPi;9ZIz%HZT zo#W`MPeg3B-{{CA9N$?Gp>L;~bN}8Za2yptwq5;UWu~9&U}lOiZEXa5V8;lhrx|7^|;)gyH)c}56sg_t@{z_oKEh3E@Dib82p;m)q#7dfnp@LkmqK$ zd2Q1`hDGj&On2$RfF#>7C-+}&TM_1ef#}aV(FbDag>9xYdof4y4d3~>FpfI|0Bva! z)n_=@eT7(wUH2<&-EvLWz_V zyx*oSZ&Jozr`>u3_t5Q}Ay&gFONr&XS)RmIfkPD@X_h#2v*V{=2lp77gs}y)l9rC- zzQ2_Zo+sm)^^EUb>~()Y)Olcv0Bp{0hGVRKou};=iv`f73v{R#O@a_khO2|oLThlB zIhdR|a$k|GM+|8rKS>H|&sRmGu&m_kw4Hm?8}jKJY?)n5x-Jg420JA*J&o5WGe&3e zhC@9Cx!pXilTAH6D%?XbRLGSnJf9)mbyqAR#MnSJD7%!zp988OdDyU0K)CH(=;sMY zKJ5I@wpvQgM@vmo?%8Z`Y5;RZ3+Q1{fUX=2C*E`Sd2dt10nkJeWHVPlh^}JwIEK)% zu?c^9kmUT?@=PKhNEe}KN)tJ)8_-dx`hAZSFHc_)!+)JAdITZea`u?jX@oxVubD<= z%ymCp=|&>+jYWsZgdu-4prVO0y<-Axe{p(GjPebCPZ{xPcVQ_{2rPouv~{r%HNv2h zrpqEamt2;1EQ8vi#_Ml|8|=dPIERM;sm4KpW+xf66(=p;%8=}osJ)qj3I~i=-p|KM zd7$Jfof3nALh@{90V|qM3%LaXjgA_dd&J6Fnt^cbbQ(BpFq|_OaT##CbpITj2~xLizT8Ej zqtrH8wqV6Gcy-PtMfX868)34d9MCjJd*wW1Hk4CEUy8i`z#ssyD&uTb*-sE+Ja$f> z34F)T0(WZQ+0-?GdN&K35xUE$#}_mLEU(~06#w!@h@+&~FY(8)xkoNP;YNEviJGyw zp;cmGNl%SO;-&n=k!#?i!D>loTDay3&S+IrcL6bSijcFWR;8sb>-=GUT8PS82y$Bq zYJs3{u2`H2%W)iwM}+8HIaiQ_iKMibo8Ba&8J9CQF=`ONVdj2OK+%U!RznD7* zYybK__)Ai=vzjSrL(If6T8FXnHbKI;drux1*H1F(9SaSzmtoM71Z{JmYYP0SbReGOnRU9wHCPB=GaCRy*#z3--Y zQ%M94ph@X;PMKt?NE4Ln^st3DJ_3Sju;b*J7&`yiFen~1;+?azX)V3!_|CSDn~*#@ z@)!eXo;3@*5d+sAg?e`k>lACNUk=KzsO)m0fBj@$lpzrl#QYiD)8ldX&t8t`bkkFu zHMhlVX(wCPo*7l2(`QnL5~TKs7mhZ1@$7bOy?ho^iWJXf;--Sih|Y(Tf1a_`zg53UrBxgJZa$20zD zfCe616z8`QbVK!L{e>JllK2nPokb<~BUv?xhV$+_Q}Iz+%d+)OrEO^S#wP3PYt>@6tQbG8*qD8R6#u*C3ABV*;(fgPZeU>v%%kH(S3>vTGRi*(23$-GSCa z<7HEkS+oJ-ioGy;`18q^uiM^n-9T zNnJU;)r<%J>2yEhWN;s#St}YN2w?~}Vd7{zprDPg^u(cBw2swugeUxU<}tkp!$j33 zIw>|5k?!}7JKSys=#;38m0jS>%()T1yY-x!C)zo8wC9E{MH|{+D)Q@harnev*PweT ze+=W1w{j!)vD_wD8u6(fv#)%AtD_RX2~QjhN6-)`;gus2V_t0nI24$IOd&52rBhV` z8(z_u^{-tM3BMvQVP{&uWh|Hjj=-zmgcIw#qdYU8c4Qn}xMiLgG>|Vnj_2~n&tgSj zN2QMKHDfZdtD@mJM^1&Fj%tLt87;f80C~gC=HHoD_AIXF8F6~YxvrTRS}j-ubLIZ5 zFi&xH=8r_#yVw*UdJlB)?`Q1y*820OhWJQWv-_54f2MzO4e)PkI80Oy6^}g7C!s{p zQPl|>=59MTAeT`2>{T;Ob~TrmU;MF%Vf_H*)gx=h-%wb}7;hIO1(;x}S)mprBIGbB zhFAzpkYpgSyND!!345tjE>eiQrpl6_y}aW^ zxhA={g@|7CJNwf74mHU)C!rJUi8JY`N)c>Ok1cWFjWK$Nj?}(yI0C7enf_%S6kd1J z0pp`I{~QzdK9KUX<5x!WeEmTFMjdb9zYCGGPRt-_<4*W@Yb*pdf@PU`65LK_$#7%N z1N~`{8}b+knp$;nCTia4elj|n*N~A}I-YA@9=_b;G|xQ_Uv{87X3{?Av9zen%1`!w zp;1zKS{PN*48|;r&%`o0F5+ApPSfi;P#ai?+FDZ5YUp~Fs}08%ecj1)L4RGnw8JRG z@*O>Nx>Q1J1dU6GGI9Rh{NC5@ih{e4Jzh~<9?lPR)T~QIQtL0(O)_!(Wxh$}h}Ebi zy&d8if#+-X=Gc{-s$`(#EG;377LV0ZeE(6!fK{=xkyp5|Ss_P=rNthy2QC|&r#UT8(GE-rjL3n^L1DQG|YJK-JzUlHzrxj+6M>qFc7P4_U8T| z{G|-YI+d801t%RWFQle=Th}w9;ajXC`NqkRyn+rrJpw!MOSt27KJBSo!bqfO)! z)cg-RM_2Lq+EiNlhjJuyrpN<23oUK;B1%I5yIm}Db0Wp%OJM4Cbkuft?xQ(MBW#_R z;^f5*wy#%PA4(<0=s&H{y4}9tpwfN2L|O9S26ir`$8cItg1aum)0NY0Fm{MI(&%C5 zyeq!KUI zZSMEz*{95&&(iJ0%b45EUjxqrCEQi`#D1#7GS|@XQI~@g+;@79DBQLNui%(Ml7MPv zjw9_8pp`e}GSXwid1XCKt1Yaw$M}5{Bd~CwP4tW@5fn^yvoCDX+{{%S+4 zg{M7YG{O&JUFya5@tohex_9_M8)O6IOTss!5I~u&;GL4DAee9X#MvaM^`a10Nn9E! z_y?#Zsd`P! zWOhPlSltX%#4lzHCiy#xrSVY2!_HTVu{O@1!u*mfajS@9QpG}wIlQ7;k-sFMvD0{^ zx$?db!D+nzgI*P^v-Z|_0`>_P02I0O_g2#D${HB zWPZ(lP1zEAG!O}ECNI8kUnwmE=n^b*cA$s_EzfNjNB(?ad*(ZY{mc_p5JDS*rh>Cd zwn^HyZ<5g?5LI0F3B?B}W{Fq~xk;{Fht|w?Y;ly#N9NjVZ28+jw0&%S#L$%lfu>cyBQC!#g6`C#-NTe;l2~b{w@O_U^>q-{8K^M1Q|D~ zSjtJ)z#{T}>kOSnU=z>4)~#&;&Fh;>oH}+emQx0jnD?oSq@^;Pjy>^;IZ{N6TV>~S z;c@ysZqa_<;}^5a8KLZY7L%74Cj$_Yo3U`WF_me?!W5k%p+P6Ej2s`C+QewnmJ1E7 zVQpv^PMb>8& z_k*RG_u2UzFcIaSNRV$aC7;Wi=2gg`!_i#KKxJEAwxE9}@DDx%MJ2S2-jNdGp<7D@ zQtX}!{2xzW{0}oLJt-{@2tHaa``|K>c*`@~S93X~`=Ul~_-|5XZiu*_6~Nj;(_5ae z5l0WX2wGe@F|z7%Q>hzP6q(D0n@<(myVIU?5d++??ySBCbg)<*&x9-NEw&*4eulf^ zcm!?vy&lGn0IsEEYodff@hpoWvKB$=)Hhy^vT~+;J`?wxEqi!sE%~Vb+Dh(%1`$No zYHkXi-bUja`(()!k}NaLG!^bxBe@s1<8C+Zmo;mqzN~Y~VYr~=nL-Tp1S6t~XRUjw z2kIF;66N#cc(;?PZo6GFr$S$15-dG0y)x@g6shcN1Bx}BCSpJ6Fw}RD>Hl^Tr247` z;@I`tR)*RMx6zmeK!#tgR^zOGwfNCjMkjlc$OyAlNKl-yCe7lf&aB{IPH>X<0j?@j zxsTZbiTgxs(K7`vt-HOFxAaD==R3GODKua+-=tC{ADVKPS~wiD7Cfw4JVjcE)x6?j zi;`K)0wm_|1|W7|*({xkDj2xYp614RhP4wUzj^21a8p^+*^^_Lk9d63c(G@k%0E)} zrG4q={Ask#*k3v*Y+vM}RP1f{X=wuq9VD+yELea>sfYe`hYtH>Ix&QM(~*Y4K_`}d zPvrc)m(JSLTc(7gxe(6`LmK3j99Ub-(`d`#1oReQVJMF#TK{0rxoInUa!t)}ibGqJ zbPu@^MP`~uTy7d!&+t!mJ>&>~UbFPGz?6;`{7df@qcmOfCHTYKBA_cWoJ(eS86nAA zZFFdvu;wO2AGFTV$;Q2}%!GVN)qb7*2Z|n+om099p32jBuav{KG%+HK=g;@di1nWb zLBQUcz2j({=^r zbQG;>znL%+%v*wlWBK<{5*ea8DG8mWjx@j&>^L)VRJj^Eg{^as>OmbV{RM3j6EMUM zUGhAcJ z#PimGd-vuFN;Mm)j?bhEeU;%;7|5`84-kMtoexauuVx2Pj0~?nUEZUi9A^I(=<4Np z>1ptLsnqq+#+cboXGsaF71rgX0LtKo{2BH2S^$JXh(}B^hD>%%`Z?vQmKQy)M`fvw zk`mZ|P{C+GA;Ek-VilL3%!yIC)K@9re#ue$Ta&xqpLQMsbGqJX75Q+a&;+FdUP zg&(teg-kZu2sp(ywRl=ltW8YKVbpkbN&&NsGTlbCudI0f`dbeoMgqyk>$-I(5m0du zqw-Ikt(WmRXI0oYP3(lQKt#s?)o4^WL{$Zry_k|1q)J-WuKD?jckrM3dx(;02~^rD z{wXw={eE<}4j!S{xpP`cGdg9dB6m>?JCsF%p9Ehts^H3k^^uE+A->!)7rJjX6Gqi) zd=?CWCtXn%(LU{)QZzX}7Bz7-{`vVz{ybNLmylM~)j05Q1~k!T37{a|H$^6nGuLgp zmoMB`4|)3py;ZFsXWc8aFNczCNI0+ridxPS$U&)UIf?l)mH*pXUpF&4Ae-%>?pH2^ z(ve=%f|}(&ICWHKj;Y63=+cWni!5^RiJK4a&U7~sStM0*W*L`Ll3s{AhmuheZg0yQ z2^s#AMJRBD5YOz_sQ!!Xzb`l(t#gSf)cKm! z!1)1=4-_=}F_2vD$4+G~9tT};d4+LE=AY~+|-}V&eAn8`uAt=5p%R~PUian zi1o;WPXoBRVn6w+c=I5Z_a5}ba!*3Rek$qno@_+AVO)sL0t6nI98HID77_O0WLtvDn2}vqDJs9fC z(yw2HSER@jOhA=%v+Y9;w+|tvan?x*b#N9>Rb7=3)kIm1XzaNv)vw3w+`On!y#D>8 zFQ}6Xj3Sc;$|NWpY)Xz_uWYm!U*=z1m1@%j)10~o>(FZ*#I#=BJ@+<`S6=Z2Qt(;n zQ^I;ly<5x2czz@s%`WYLCkjtd8Py$l<_yBiV-@eV^_o->4(FtE=-*`R>f}eg%rC6*8^Li4nB3Bir9Id2 z^(o0{zq4C7#tmCakUpcudH;@DoOn2Uh0|f2>JZO69mqk57|FxQ8#&!I4UQ`ibn_wq zhFXBb8VM}^^`5&{0`o4gUH)dUd2fehH&;-zH(xi-m}l}du5aw<7r!4$>4-3EBiP9j=DwH;z2z4Y z@>qa1?^_A7X2(!@1LPMgmu&XMX%sV~Gzu|}8QFEh&G4(=hVqWrdb5ixF0Aj1ZErvL z(+ee%s3o`COtMvrd&d2nQ}h>oos;07qAoG!z1X}PobHxJXhvuaBG_~Iq70* zPYm`bVSV8Y$+C6*h)(GW?+WMCJ(}wmN~=(`XxtbWmge=WW{%_IX(||H)#FJk{3V3q z*?%%#@Ftg>h5xw+>B&H5roQize|grR-s>LX6w_DYr$%NG8L*yW;TzDjN(D3gOR4}g z6T_pI6UW{fWq0f$n6n?VFD!T|I zkYE4Yd~){6en}|$&1MTdGgfiYk+lt>y9bK}20Ao?Hanc-5TApWVUVp755Fh4xVTNUPhEo z_RG|n(&RSRBpS7xaeVi&`!~1y=Mt_v2(Cy+4-K(rZ#6tq=c`Yn#!FL?lKglOySFbi zL)G^8D5gdb3dZGk7=cD?aknnwMo8sTT&*WJIrpQXy_5NFlFQ)F>+C{~NdJO6@?hV% zGtJDd`{1^PS=4VH#fEV$c^B;fI-Q}>_CQB*&D;8A&A2o!&8+Cd1^YM>0T-QB_d*^PV9_+=Px$8FU^tQ+&9ZxQ*ogACtxU0JG-C31lOf&Hk=|P=Nt$DI71>d4^$b(?~f$L|+|Sps)Ws{I%G>;%~>DgFhQXpM?HXn2y*jvR=b0AIw1x z`YeMPYHHfnTI|CH{@0_!=0~LmXW~K04epTwS}CG~QM~4i-MALs@}0gA$kE}PtC3TP z-_qXM*RB0XgnXnJ?{_i4TaV33SJrrpL5dY61eXRw`ctA$bV@d}VjyexK^~RsA?+4mCs~ZgG22Pn$RPWYv!Km>R zM+hRX(aw_#bdtYZL~8E60dCqXZ*FE|=>sQg&EAw9ZJb%<68CRly~#%HGLY*5e!em_ z>p)pnFrFH}l7VKwnbi%A{S1#7$P4u$`{BJOdooQe;rFx zNwDgKrvG0#DVgM<(`=MluC>>I#sZS7YRlScPKkSgtttD7B;k8V-K6&5 zEu)?^xdSGbx-jSCvrO)gb1KgQ-S@UaEY_K-wLtA71zw&OfKl%ImJtSQaC!v4**D`M zwKP)4dMW`9P1qSyml{4Dyv8+HFOL?;HmiW!o3*-Tddw}YRIt7}1K-GG#(H5J8*vrd1Z66+^P2qcS~QFDxLI-(gzG8~cx1<=VtD#U2L#8Ne#@8N zgDPuf$j##?KqDXF?R7hDz|VSc#GGgm?v1^xphg<=J0f!W5=$+6L*K(t?)BD+2ijbYm+Age1Q~b=xK(E>3^uDygW{;cgIDkB(3cF z$?|BMG!T78eADH2cN%U`4Q{58kd=B<^Z?9eH2Hh3lx7#**+hBx!UJ%V+@pfi~R9=1w#?I zo!EAK*(Rvby&vP|K4~M>V(T; zC<_Kt9sfhcDlQ=MvF^wi8_Y*^{yAIDNH%(LqTt|Q^%KLqkg*t1t?%;mw3_{A`=wy! zlD{UKYX*&>@rE)*z3uTYa<&y?jpZI*<=V3Tmhn=0RSp;Am#(X-eafQAG~=p^mydII zXDRJ1T^y=}W46pVF14sikOEz&xfJ0Guy~=6a$E4BI9$(1=4KB{oLYorr>1FOoSpDo znLpp{969CdDtZZ4~o4QzE z{z{2o*C&DFG9onaqdFWh+Oh;MvbH;FnMp!YP6>2#=$;RMrJh2BTTEnpZ~S!;z&E%r zWn`T{d#F#2b7}D&t$%=NnsooRg*&;g?BQav>-pvVVrTl}Rs;>A39#}m*gQCrGRaZ$ z@?${rV^sGrZ5v;T=+AtIA<-Ij{%GSVpb5q4uNN{?V6I2RoRPWSgl#ymW0&!VyyNrg zsfT|ecpc8N&16-`9g|4Sr9k@w^g$~M6o!1D51vVWllmr3EmtScG8~9feRfPo@-^W$r?3axWOOLx@32`~I7Gyc3sLDfc4oag`HqjVjbdg$Z*-y~;$G(rkpXp8 zcE9zLpnDBd0e?j*whbSwgR4LlS0!C|kGGnXBesaV`y3ScWe{KW^GnPz(93f`Z}}&U zP&pOs#)o6q!qlrOwAW-oB`^)zD-E}jAlqC_jF1Ct#9IoHPR{(J}bxVo^plCXSIFge?2txzTG6) zjQfUR_him41*6vNOTt2G-gwETT`wG5)0T+QC+OmS=vrw!z zv4bj&Fm(MXMs8T<%})KaRNKU*F74`XT&@$7d@8o*c2kzOI6J=(mi7m~U!bCXIaIen zHnE+>G?B;eB)5`c530`M@VhEH1imJP;cvy=)~C*Qd;TdoLcBoKT&{=XE96*bA$2@B zm9hQiLHNzMW!^-&81Pb=?m(koX3Twjw126Ho=yow=+2#||DvZ}?wLH!5`LVY%KG>Jr^=}o0C0){%{&~?C-s_v_cc4O622PFsn&djXSb(Stca1fdq^dn;`5PPg zt%*zzt>P@ptX;z8y2{cTUK5^UVQ1yfQ0MssKp~!NGb|E8Wz4CdFQ@jEe@ql9(08V+ z&r|OgzlEo2F}{{Ll2Ul?w=!*wjd1P2a*OU-Hyp~YQs*fu#OR&01FOTOCmPU`zp@rs zW{qJA;}4sFZeXmyEcM#6iSN;g)Y70DHkbRmqG-Bz@11-;6{MB1C4KMHgyS{(_@ge^ z7)mYnlEG+5S0+YY9aSQd0>Np0x@t6pm66_+9`|^`TJ#-HVJDE+f3{$o?Gf3JC z(UHS3RPkc1?bQ(YWY^dgG0=*n9KZ~+or;MJt_Yb1)j2S4U79&_N2VT-7p2~PhsAeW zn|WSrz5)1JCeEbp@OV`!e<}F}^0Z7Q=SnWr>MFBo#*(&c>!ps*uHcF9=ybm#avD}J z7 zU17U6o#w56xf9A$vcb30iTQoE1+VEjktX>qxCFS%geIC5)EXc_hjwa~_RRb#(rwxw zmD%DxtJGzZgwv;e(}=+sAe&E&KoxI?J#{5{mX?@MX-EkoJi>t`9J&9zks2gG@*ulp zoRrhkj}<>=^l5&;dWYHwLSMUvRtwc!`AtCz9(!{mW^7}z240s?(1<81kn1O}H+dm3L<4%R>)lBuu?JXr3KhFUY%UrVmt~dR&XyYmf<}{#Ww)IeWutn3w^gZAuycHC zVN%iZWiHG&d;CCvqE8q3kDX2lDndKX7h_<;O~)O=(lD!fx?v>*TO?ZC;g!I z!1Km_j&c3tAvJwgJUH$bba(av+5v`o(^t~ye;#4q9oUI(nbSUW-uqvZcc%{!1U~>_ zi7Ry!TzB2h^60*QPkGdW1vQt|Z89k(xfO<%9}KdVTh3RYjQxFj9_8%DNmoSdf4k9g zcMV6A@a>V>ihuk@ZyzmPzcxgY*?4OGWIvKthrgB4cY>NSMsEsoSv`1G$|m2sVrmt` z`F;^F*&H+%J%G|lG+$BNV^raC+!GFnrtKN#zdDiosp+t*j4|WdWrSRZQX)3?m@nmH z@I}Jl(k{?JezD-}X6dGEWDLcssLkU15yTVP6aihNTNB|yZU3z?D7-;SL=3~X)^t7d zI6W~;dXM;mCZypawa=6Ron@m1QN`QVVu4KDrbQE?1S#EC{v5!Yi=3-4l=lI${2@iH zUG(z~2g>u?a4evh*JF$ODjR7uugFe1zYxj`lYh16#=N0oKG8WZX6_!W6oCt@$b&YL zZMxJwQctG;YCZ5^pF2fz18If~H)b2hTt8lRC76q2e3f%;P1u zuk4HOKO;~Q=stTlqQ`>2GxgJ+7!h+c9`-39Crjv_g%O|#2>+hg5-a?2MH_%HW|l~> zYQ!t!hZyy3_maYv*6gNA-k5_>&CV?e?EGrq5Y@T~9%F{1^oGXvBO@{ZS&oZFXc#qD zu#&PLlU_F{S?l*nYL{zyH?^7s6kgBt@Jua@Ne?-pN~}kZ*YCdV z^L}-0NxN3%14_zS**~$lB;yr0*j$j}au`hxSSf|>haMfC)c?!{EPFcq%tEu}92y~t zj!`Y&)hb{|NkBD$7z=jbr^f{RP?<9_+~k^`zgkJEW2^roZUnT4jXaO%XimIiy%o$& za#HGK+o4M7MqC(X6wF>`2?O$zmDUxL;>MoSEz_oRIkW-9X8&nI_c}7a&U6FYX0{Bx zi(BuJ!!LpP_h7J%FeQq0z9%`n#De$k98mz+lC95Iap%*q; zt-tT$i1NDRkpUCDXUo|NsKy4n8TIRx!1#lfNtN6R-YskA#)!E?6Imrs(wxO#n!`Ct zaFjPy*cWWGiG$z;|KJW{q>OEyHyO3AXX zuo%tH5-F$&>f*3l{B!Ao5K$rtj#mM1O+0FT$>DwAWd>Z`W;_9cx3s$>legtHy>Iw77U^X>85V8 z_=>z;WfCBd&BP3Y($0XWEOLzZ@>qD!qTl*B)zQ;_4ug^LCQZjHt!SNs>s8 zN*dY)V*1zqi6+<4pzIKfjhYV zjdi!Uf?}-R(?3%O%)k=J#|f5M z-mjV0}4feB>VgZycA=nEgbeyj2m z7LXfQn!%xIy0lIB`S!1L-w{@%#oSP~H%jtA_~E9{zJX?#8vjbBFtQer=IaNT1-Qt4 zkV40GT_T^>Y(M+~o8aEerayzhgDP+JK*#7lWC2}<36(bg@$pF^KyX;KV_cV+;V z7#i)2(oerv$z(U$EyfD!&QVrl(rBA~B=;c`nCh)F_&t07nrgK=IfMUt+&T~gOe z|Hq`Vw=N$qLU~+v*v8Y+t<5WG8Pv-F{GM6jycKGqcSy-@0K9JV;pm##zu9xX+{ap) zp)8Y)1~lN_hl|>rk5WZIquAeovmX$!L8GKgtC}!Q7&5v!yOC^S_M)O9=@NcO&whhR zjf1n-JydmsGVoO6uZCt&nl9SUHZ6*#4d$X8nWr>o?f^{@F08&z{ywe_PCkUjp> zU5yB3jqb%`+&6dMksUptYZv_S2P9I1ywAAa7C|8t(^?TT{g<&jB@qc5j_jf@2-p?h zi{hEze_>-d#B}~L(SOd5`}rNX`ny0Fd8HnkuDeQ7VSICt!}Yr}m_|4j+57Mo-}ZHD zSiFkz)O}P&ZKP+;*$Z;XWDGF>+9PGI0=)Y8p062R5TbxWo4z=*gugw zYeO?9GS2_9cOoKo?qu4`9BgFF>|Cs5Y^}+DAM)rjZ0i^MtZvp1cWSksq zpTA;m=%{SsOhyM12K~Rlr1bv*C6)dMl2rf1BmVW~6m;pR^Ar z2@0vGsc9X$@e0jhM}#Z|qJ#Oc4!|FKw&#AsLtzzP?#;rx01`Hp?RyLq94RO=Gc$#% zN(s?`a95RWTnP6bRyi=tB0{V)@L(`sco;lC-E80wcz83osT^ygU=#fe_zt{;DEI;x zktwQpldf44C7A-}rl*r%aSTZp8npN;`NG@x%INp z10LeX{fYtZAQ_%aX%M@b%}W3%R*-K4tdevvWbhFFc_!3gQ<7jsN$v4NmDi^0bceu2 z)*|eBa)EYnvNzp~C&VK14r!Iw=~XkyVgqp+D%}`3ed` zZXq5KBEN$L^;3z1*RZpLSxBRGeE=J(QC(G?Ensi)C4u%r5XK*zUOqA(7K=NTF9$DH zUmn3fDn4n>FU(k753z$6fmFix3#ii{W`!SePahnQl?)$WV?XRfwa)DyFIYD&9zST2 zT!XvYKPYs(=82uo0H57EEVB0`OZYdA+Ghp0v9&uOmlyByj;M%&XbT{v1jb|$_o0LF zx>@h#fU#@XuOD2-_IMDMLC%41&m~|%;=)-U;kxpP?W1=|y=Tk6J4L5Xx}P2rQ{lX* zb{B%erDedo%sCg+@SJU^*rcWXDi81IM6&cczagQ4Q~XLk!Ro5#2mBy0WM5AtD&xi8 zrCLHh$Y#LM`|j2ONQ@dV0DTuIr=|v@uw7Vx^*mhR{^$qOrOX@x7>2;ayt57k zyE>N}-6V4>VILd2E9&3O-d?Q0gFS`M!p#bQ-Cr9{xEP)la+NS;_7GlR4>o^g;&=@9 zF`FhnKiCZ_ew~{XNt_xiDGscp$DQYVic#6;X7O>;B7mdRR*qT$d>?iBrP%S;%qcUU zgg#7npJFV1ND0wPt5QY^Hufk5BMop@aZcrQ&)X!=*>@$NISVt}m-X&^Om0Ncl?eyZ z=9Ju|SVjhdcE*e@U~%Q`4+O_DjoYOC&`n#(h1w6q*&Lkt7;8I~sc&JI-^ZVG%2^45zcQ2M{>|8Xe!EPnw#zA?Bw2AN(f_dUfsJ;6>Q@o4aY%h zF~Lrr(}0D&$XZ6(Je>YuFxQm`CLhJ@mrcupoK}Vdupz(R`fWuYvavUJ#qdX7;PsDn zwLl5UWYhnPvv&&5By6}fqmJ3JZQDu5MyF%jwkzs%Y}>Zcv2As1+n#*?zV^)g*WUYJ z<~^%}_n_+Nsap5F*55`jJkP@Nf2rT*DP3pue}&^%e+K!sV(Ji%bweS?{JLzg)6WT@ z?I}n(T*_T*xP@-Bml)v$Z6US*Z&&X(%dMcR`$sG~@xzE+c zul@_(^DG*IfY8Mes1K^9cE1TbX#GaGjAQPO))_I8>kT=7VZ$WW;H7cy>y;&Y$(nT! zo?`RDCH5H;C}^l_P(%HYK2$i<@(VdRpad~_I}o9H;LxT6T$3{Df}P(=@0gH*cM8rB znnb=@Dem^sH)g*LC-K(nI;)!eDn#n}UoKuz22~!myf_0D0JE#_o*eaR{jyK`xC#$V zi#YtaVwFhGA~T5fcd+h4xND_8N1t(HgZSK6x;B%c<4SXdEAWqi3|R3}nOlJ1`=OK2 zfw|hQt}c#7X(BehMF3dMIArx8YsO4Eo}19`SG#o9DG0&n9~d_CO>^c$!wIkP_~AVp zjBYA=^O66m0M5h}6f(S#Su<&{W`ojz+}djA>y9$1{WdsGOmWxC=X7rzhqKKXgp!Y% z$d%yq?73(Aq?If2yhMNsj?11d^MzcVAo>Q~oWRnp>sYzRj)lt=bY0*iGS(P>qo^bu2n^?dhG;IadEh{{9s&zC-B9cSe``<5A8 zOgO)xDIAa0n@;gJLq(HPB%UX1rd8?wI~L8~#@^PgVS|7%civ&N@J8*8f>p57@@L0s zOcVL1aIW{2u%FBlIDM5KL^drN)y}ZH&oWc72|s-IG1f@#ab-L#Fpw+?ZPaw?9Hpb3 z_i4}mqd~W2LF2_t3|iE?cDQ%)ohB#p&GZqNe7ueNwpf3d^xLf^368=A12*_6F#TjJ5lnh=+(9G*j@_)r!CN^m!KlTaS~ zD(y=co~b+CytnA;v#X^fg))@wL?&0A8}A?h3$sjA(_a1H;T(VXTIYi?PbQl?F=ozV zmEf=jh|p1VjCC`ZPUA(_9FhmlZl*svlPRc-Wro&r)3gglPgQ_u=FKiK%{jFL4FX5& z9r9{2Oyu)!YbY2W{rA@r?7K3xwSh1)v}At9p2bj-F)@?PyB@_i$Ui)5i%I&!z(pZ& zMXHgwI75E4AVHG&uPK`m`Zn#&kni4Tn);!kPDb3>`;;4&fyE|h;ilAN_Ptq52{xT< zR_?%-wMnY83=fGUK|02);XN*fI&>sLUtwtosFQV0-Uzk`f~=IFy3>vF&Ky~t z?cF-;T{@q`{@_oRQ!Iy4jn>*oSEOp7wKy+2#KIAf|lb%E0WAf^)o^>#w!{*c}hBHy?*6 z$AjSu-SG@6q#&XRjG`8NUS0iqq7mcDpFZszEo;*jqH2ww7N$P!aW>42 z6%rTjdCeej#MM!>MIL{p5e>T=(+QNGMC~$6P_1_om-?`MLATGCh>M9Ha34jJMcg+#6iepFK z=YIexGaW_R&tV!%MTwOi7d{i z5Vlq|xJABd&yFG1<j%$508F*a$rZOU_ zy7p`Tba!1o>ifb3**2v~Rgniv)e}Z;MQB*G9;jd*O-QSr&qHeR=Q?<(Mw8ly+r_>b z9EWgGg7vweCSQ`L2*PZGXCMkrOF^N*PPHHYt}r-gFy4LQZfhKL873VQHv336Sh`*B zY)29bJ`I4ko+fC|7EzU;d7IO0?h6u{?D$noXS{J%)viS&1IPEV*0!z`&y14y;iIPOb3*T>rF_eH&OgmiT zn}NS&x0Akf<;YXUS8E(_5)(cLoQa`ur-ZPg_w#_|s6ywbA8X5&IBTsiIlReQVLl?(}Tc<;4n3@d^ z>4CdlW--$k>LA#IrNq2w(Bi4Tj;0xbo7Cd$5UR~1uC`BiM}K$vy{-?)(_qVNrahKG z3UPo;3L*Uq(_6(2W|(w-d3A-0UuU7vIs@7Z$YGFt@vecww&#H*OB$c?m*A(aQVLhRD52+i~0vSVx)KZ!#$>ZR1M!ypbXYx@kg1Uh67m2Mw|p335a1DjMymHq-I|uPH?+*;obt4& z+aUUGR$>0Qf&7B2qM`HK4AZMMyO@VK&*JXdY6D&z*exrB?`*=ow|Usy$zrkiQG5$a zBKLInN(%Ks%b#2ClK|DSAV&}1C*oXwp1}P5SMNCTdMb~clL_+v^?+QT8SyiYPZ}?6MSJ7T}%T~LTaEosY$m_#QRCN2cbjFi95~zjD6h+3mZ}z2wdx<&UBA# zHc*IT&Ep+o4d>$F4n)OoT5q@>@+}oxU0F(GE4L6Q<=C|`l z8~D`eH$b@ZF3%=Fs9`Q|H)y$hQ2}%G@9{FILm2q%`^{4HV1-8I8Lur z4;wVhL%ptQ=6Q38EHm}-3fPZRs1Bf@=4NeG5rKp`=LH2i0kP9S z?=@wT00v3z3&~Y(=9?hFZgO@fbJc9Mdxz`4p>aG`r*WN?pRIBbq6!losZ*>*Inhu| zrIoZlYI(0m*%0?6zRJPxAy+gYSig>R`Gz@hDD5KY4m*nL?VauzG!L~0&sNK5JbIpJ zf&uA`euK28&gyxRFTfYX;wGop7hp*W1xuy_MzQbfYHa16XPY#}d%0Ayld1N-qnVYx z_49^+z=Pg?d`>@gTd9L%#H261h;J+Z)uzfu0Q&|7{MgeEY9KBI5u7(P|4kKEa?^js zjpF%F5*O}IY3-8ILmP-uy?l(j#4GQ^=~r|7vnxKflD*Wj7NG9Hfp0p9MJ*D~3kD$N z!r%1mUz@t}3e^wiUaf?@E7`F&b~Z$ZBe|~IjxShOw9K8p2^;RuqSw?_O4WEcA1C-7 zcg-4TVMB{$U_LNAQcpH?2c3{-*Z%|_=3kr>y4ol0eTlP1&pR0I{Z=;~jI&7Re797F z50M1hSD-tG0wAscWoh*)l7J}*_Zjh-26;`c0&_gFi)#!8j^WR%05pu!zq-hIe+hgtYD8epq~DoN zL61w`&1L__R#^;QKF_1byE*qZ^Z{;6`NMBWA~y3$u%v7@qn<>7%6 zp>5+ktG;P9&@3z(tO<$I0rVrTp;8mRoD`>0)^ za*v7ez)eP@6_<4CX}FpJk0kVz(=Y7fU!VNt7Tdv-W$pg|Y+yGSm+!r<;e9ZYOq^>o z+zKgjQr%V&MZwg+Zj{|0H!IWUiO z>ak%%^O??Zi?hhiaf8enbF5BVPLqbQu@tyiN?zT?y5c|DBk1lJZ^QV=L|PH>5@SL+ z8-7EplDZyXEi7&IqLF2y;y`wRPA%_(E0&vXIh_>JipiIo?fp=cC4|zHYC@q0Kr*ug zbOKVxH}B&tey&R|iKZwOZ*b<0Q4ZhAFX8FsLQi@|zTUY|h2IYUPOYHYt@cUi)FR612x=o@iNIgr+mwgwIX_dw!wlp?dJu{gESg8S8Tm|NMhG4cy>p_jVy z3_BSz_RnMVV$%tqGll{OltY>%V1FA~DyT$gY-BYr?=A4O?Rb);x>az;GRMG2jftmb zsoaOTHEyGfKEuaUA}X|2VgsYF07sxQ=#hrsy3ykHu!CjCT$)hKJ2>(V9bO!$gU-8y zVPY-02Jz_ex8mK0bT<8;H>Y6SLuFE?4gtG(g?A6(*-4Qcet!QA%#cweFd>KeH?@wS ze^!=v2~X3s)|2He&DigXfHq2oO-~G?fpyJ zUkS&4;+DEPT}3Z2+;|5)!h6lNVO0~mKGiwut)i_u?Bw;|>l4^Nm}YR33(Ob{%QU2M z`6_aoT*9?vDFpJv5S3?E0gJcdsL8T$>c6_NNDC1}unSgVO-9$kyBTQw&jj(fRjg!f z8B&d4uqurtMJ`<6)edO)e~jNR>olg)L#i{%!(ecNgk5c`JoPQ4P%H?@wJyP^Z#JW~ zu(5*7YicSxKKi%&B{8**hJ-rY4&&qYmW^`AHZv2Q+8oG*dP5Y2fKZN0sl@MX(N8Pa zg!2?#8k@W3wt%Ckau0>In-F?B&O4a}z!h3wqP|>xH{35wNG}G_Dz=a3rgWk4&1BN1 zGU9b~2%!O-0HEx1E<|2szCeNy-?zr+BqI{#%m6`y&Ytlok$P}M#@rcq$$ZE+K$x6b zffk=y$_l;!gM2Rr_88Q4ADCAZs_9@U+e~O}yL`!hk#anF2T6N(ZM{EU&iTh{{P~vK ztv@FV)&mNOP7oHAQt;Z5&!Mw|M4x=a4F@lPk!yO~&A<6$1QF)^Do9Lpm8-T$9M1wg z%w7hczFE(yTfC9^dLZSyLajYMtwp%23)N~}?6+jy!DRjsKxN&#NUC!L>o(qmezlEe z(6TflZS+~rG;ot&+XyDgU(V$l5AD(LI49)Z%V4Ycm!s5Eu@@(+sS*HLIr%`n6PMqn zR+}-`=shM{phr;s{P3QDLZf89-*`v=bB)5qss&rFG8lzLd zH>tfXb}RQ)%g5%bw935UM`0UU_|v(Sz}R6+el${vjTqF>@Ag2j^J5A5^_FreWZ-s@!Vs0y@hkd>M&SLf$b} z>u0$CjJPl(Fdx?~9ECD{E+-Eks}^e(sBdZUMozl9X<;U#2G|mW&pL){i3l`%4Mrzj zYV^=|frpv)q@hj{&khdrLxvA=AEVHndayjAe6+RD3e*RSN?J?G0Rvy%ZATV=Z;}za=vf!zo9KbO!sdkFnIehx_wJ{!0tQpzQbG=!CX@{AxnH!~4uAQSCR|S?q-| zz0rI->x@Yg4&K_HcQ*GSVNJWcc= z(%-KJs*u%U%uybjLLisNBx+7?+j01t@mxq9BT`!2=`a{PH<%s+v*3$*p?ZH&Cb|Cx zn!U&O1&svf!1ZKRFZEmYxj)~vf5NSG12~eF_Wc6CWHDeS|3ul3HU8FlW_)xty}U>| zN|dW=4W@fUNJ^1AlYsXwi3_j1%FS)yj$DtPxMY}&vKq%=bC5R8Hr@m^0~tB9K^RUw zT#T5Il9~94H0#zc)fgG7*W2Ko_n1-k(tBWInHqj@qeyYZpOEa$Xk#kC{bsP514NYW zwFj62ex~`dOPG3rok?VT=9FY34r#iJ{v<+tN!=7Juuiy|< zhNLiQEm-GELxZT0YS%Ff#?gUODQ%uFZK_i5jKjB8YHc>%q*va1e2&VKAKQwBU=lee z$^1_u+j~NTWYXJC3V7M_5M)|v0FsOZ414OE9uSaQ+$#h;o*n{kpPx{nt=-nUDODa^ zUbg3z%5}h1!>>TEQL_WHsl-+VXof&?QVu$>?xIS5%0)`jtcH()v?LTdf5XI|Npi7= zplAh5Zn**z%v2sQbc?>#vOGtqdcB8i)Gn@v#Iqb_{^tH_8}9Ebf6>fU z&ixu|0D}oh}gNAu)mOt{}nXg;9}$YFVMjKo3irxKMpW3lJyBc=dUIA z^>q^N@$PP>!0~CK%vthCB7Cq}Nh)fcS=jH=fBgKQUm`m@4>KO$J~cO+O)L3dTQ5(m z4qL1E>p6JC{h7P+NP9smg8lNJena>vftctR$q*BPK%=36fc?H+S&_@3!g{jf6==s^ z28R*rF8lz%bI(AVByw$N9;nz9F+risJ$gZeNkE91sfit^iI9olA*4SLMBODpmCrhI zqCj*&{V>1~#dqpyN!NV%bL1zfoHM)ZK(&c%{bC9VxHd2C{qk^^!C~wEfIFZ6oYd!Z z7K`DB*N*@Z>Y>^M3bx`L#BMJ5+MT!1#@5S#S0C9Hlt1UwOv561= z30HB8>4$V>_BAsJCj2S=Nco~hLiOfW!w(%~@6`O~Rd`$e>p4I|9+e+M=Xfi6gLt*< zGUfpM@S#73R=rk43?2~8yDt~dK`q0ALA>sQfCG^LzMKoH0+8>puk86-)oe#Ls=s+@ zNY~c7?a{t}ssS{LNKDWjmz@Cs;u3n)Rq*R)N5GHms2DvXF3&c&wBFokzMeE1fXN*7 zqsvBKAMFPk6*UC~4FrfFn4iy&$$&1{lqaAq5a0#UXILR#+DX?yk?*j!eo#R~eDpp_ z{PXe$r9x7$&-ny+K3aP*zk_iJ3sL!jFT=nNeY&|eV8cIKMG62&B}m<{Aw}89AWx^a z)x1`0eRwGLDVJT_UD4`_6TQ9jvVo6N!=H{c)WqH(A8);JAih$}L_Z`YCErk3=Xc=Wj*n??!$usU^*x%GLy+Ad_!2_Tyvc;-#hOpE0-f_&PQa6d5~ zp9J9NX4!t8FNm(>FXTYG3A3i@0Y{x6S08$=R7waZ;I3?bc|RtB+5^V+W5$l29Qztj zFqrrIAR!4*|IdAqaQMA2-!P(?`L}bheD=GkwlaI<-s|M$Ah7|E2LghJ&Znb#@oG`f z4`Fi^o&X=;cx)mn5Q&^=VvxHCe-P+i@Xw_lFwg*7#TLq&Wb{wMRG};afWSQUy$Gc3 zZ1Z$84KmQDo9JzT8$yz2ZQsOw$Rv}bgY&bPIb)%*Durz9!~7@O&>JgYhQDTge=H&G z8pX~=s(^q&LsEPIcI1J`IOIdnIf9@uGEMcvpya`h3jY=p(TCS(7sAw0bedZ(L@;uN zh+mq+n5?P3w`oU~J-a;$K)ys-@w{$*DuQdh|KW(V1xdwEX)ux_F+h9Zc5Wb0Yiyt; zf}kZpCPj2xGkV81!VWd@)UJ@RWe8y=%?2b(J-}h$8D0DjB>%>b|G4Sd*07{H6J>xDxlJX^4YBhKDjO812zOk>S_+r8E8K ze5O!BqMrJRJ_GyEwg4h(?K7X0lLcmWCLNh|CIehN*4JCU)HulCo&XrLUR#nBRLop$ zJg&LnacxV5N7ULbfco_ErLvjyWWWlp+WM?Auc5j`=<^yEWFSh_9gT0CuFBcYpz#9| zmV@~;!DUNX63(lRln0cP5ZLH@M!0`Zl#+dOh+3IO(#$D@watZj?DFb=$CkPcDbWZs zy9Wn_tlifHTn{KUE+4V3OslRqhw5+b?vLzh(FDJSlHKD1ZU|nT>rGOQS6moqgY`2E zN1j{OYDGh(zuU4QY&K-tHdN~}5VJ5dY3Bei}JzX27-^E zYEl|5j&l%J5A!23ks!ZgvFIsWJi0m-**%-H>0}xa#`D6L%OKPRCwG^np^B|03c@Q6 zrf4E8pE_p%jXNH95yELxohZ;6I+B~4@D9x@wzIsBpSsVIQr~`vkGCQdQ`h~>#~mj= zj+R5V!6*=ZQVEEd_N}8-qU0thaB1@NV?%d} zsD%9ps;!#_MkW5~!i4DNBR}VN=dzZbn5f(P_HG9~V09~TN0ZxT!!?uis5T}~swEXp zhiWDfP6w|X?P43mY5jZkVzEJmh;8=$`ge&>kp*?ID|b6Dp9Q!sF*M^;_4s`XcH~!| zg}gLU-M{ZE>a%IJfCK`*Z2{++zrg ziFOA@GhN@!yk|?%mp%-3BZkZc{ugqm>0kb*y5wPI4H4c4Rmb((pMH_mdI;d>VgjX! zeKoV~^5ot%<;P!<;7@9tgRp&m_S0DeIvG=1AYKqUarF;%?>I7oLUPBy+s9vfUO2NU zg>#OlCK4NC*T0dh6I5LIjVoUkGqU9PO`Ppl$0WIZav^w^6bG=glg!0?k{E#)OS0sa zxx@&X4N$OErTM>XH9Zy9!#BF)6pSwOc(Yed`(QdDLC@X_hGF=yE1U!z?9J^Oo$ir$8OvULxNZ zXZPapiM3`CEwETa*_CuM$%@HvA;zXa-)>D51iz+8DX&7cD1*|-jUg4y{5($tY7q@F z{fv_&{=4zm=?~|3Rqz2b0fl;0u{9VqfRd_Hn)${{-q#a$r1^ThYU!Rj)@9urnd^Ao1 z2~}X7iu@989+^6kAfXp1Y3H+bm^V$XkwbU+d+Rg}dsezyEV1>LvphoF(Jfhlsl{HD z$K$*HG-a@)td^Ak>s@FhfHb9{)3z^j!tkb)aXIS>&8hOm-l5JQlBQrTrBRW`f%pC2 z9AqCCq~6avG8tK^B`VoUOz}Oh zLBzPy&Zk9S#)21!gqj=X8P8n6sh(7c8cLYM-gwlTYO7NQQnz`!-W+Wa?E0IsO;ZE6 z0M??7UaXBz6TRS=grA4~jvq}>p(#&%2>IuH^utLleIN5bY?~Na7RY6NY`hw*HoY~E zcu`>HfY^2BTD+}bTWHYrvAbvqEWUu&pV0zLC0;zNx}7a^bovdFXyG^T@Po=t>13H| zt?fl5DlogPj*r&M9OOwPlyl70XD~(mO)@mLhhz0HiK8?-^Rnd+532Gdy>&8|qw1sY zNztL56@@!(1hM2MlKy8LGFIcV9AWcSR$8|WS>8hryN+HgVr+l^Y5jov^svPoM1Ubm zJr9S3ME;&m`@?Jf+<`Z6F<#vgedBSMER@uF{BBe&4eMyT9lv@KHMqWfP0O|gHZpE+ zd&E8ENO?jzMXNZtFEY>{bwhYUPgOh8+Dq3*^1`5fKb}sfM_58XY)$)(!}zR)gYI#s z3J2ewenNg3nz1Gxgc-fs?qR)G&!9gN^|BjmtrwZq?veIl4#yX;EUtiIyqh3Jl9bcF zF{I$#@ySru?w(IB`UfHH{^*E8E9Rzer(1K75o?Lmi0toD2|5|2&8BF(c0J3xW~hP* zM@F?y$=6Rm+-&=uM!7)V6F+$nw?<{CamAG5)r4KO<1Y>cK^a0WXYrNRHB}9N%zM@3 z$&`i%KsGCksW=KO$jzne5_*W9Qa*L&dd%2q7C#EP|ImsUr7!Y-ee2&`^ecn9n5cC| zim299K!;k&E4$9a-Kd&jXrQqzYV0@`?P)t1Vz-5@WRey3j@fM!i$H;7=8K%_-U{ni zlC;1KZa!5)LzpWJMsDWP^&m-L_pN)RN?qiT;0yG|C2DummlqG7%3i+fU91ux08BV_q`t>)AS&htUZ13h&|jYHD2=@>aRG67Y>rCJobO!ZjF{PXz#`s$f%Xkh01MfP1b|dnwsA2#x90LD1!ML zqRqv%nCThVw)9oOaqjPftIc}HZS(-0CaHZ8cT8@GED@uGuv^){W zbV8-FM6UZ7BY$^y;KwI=Wo5v92Z|(=1-o-F&2Urcp9>?XiS2KH(I5$sR>!v+GU?%O z;;w)s(-{0z+Rs(I&Zw@3pq9XHlvBXOk_>=wg;*FpKK}Dh+)oUfDu1o)>dzy=B)9w{&$^EAc$-ky#Od^aK2|=w$V1qX!9_r9s_WCi z;?f1fnM7U2WpSf;^cytjU_JBXS0^{H`vF#49~rd@KgAa|RuL!o_qy&?a(YJjlRxXF zf_L~(IP=^L)W?0~BIt*{!RpicOhc06$s?+crICh3PTR}bo}xxt8YeQw$yY@xX=WlA zSAf-=fYOX!>sGaaW@Kubaib3BM!w|T)~3M&pDp3bj`;& zu9B6Oqg#cs2r+k59dkZJdDR^{3GQe)uw8wYLv~5fK=;gpw0sk)AEqvUyPl54Fz3+L zh45FV)(50F*pPq9+1JZ%8|ldd%{~RPNyqXb1-#)ln5L-)L$gbAlS&=61eQ&~PpnB>&lTn&^@V9~@u0Ntn@abCj)G^83o3fn|BEP1g z!?Z~jjTo6XzylPF*f>0)QC0pftuj=G2g2|i$5TDxWj~h}DIzA{30xxr8U;FIBgsw8NQe!yuisMJZptdlI0UO zE##^}Wrou9`4T#Ilj&$Nj>5s2QcFo_PBuw?oXj~vDsIJ7+ zdD+(l(JfMh2k$6`Imq2*TGXO zRm-}gO4B~@nNx|IF3QND4)N;Y%CjcO=aVeshBdcGkd{n$vnJ<2!k!E*uYlgzU;e%A z4Jj>3(QU_HIpWe1v-k*MKUnf+k>7ZV9h8`_nFjD1Diwrivbq&x_qC!i&>&i7)C%>PAvC0 zzWCl!PmU2mUC#oDmJq*Db&=I_^&c47_gB$AK6F=<@O-h(6t|#M(;ne8)=o-$lX75c z$J9eAJU69o7NC{iv5;i%bZ;^(?KvV!_}B0uZ8Y7rz-v7{Jm^T1o)m)giJh+b+zyYB zIDpE^;(yxkY_)MIR&@ShzSp5;1Zm&Yc?8MA+BDCL(%Ty zrz<{J%8FcAug9j2NQSo~wwkyRzL!_fuoVxiIMhG*PcTd$AtE|ZT_{cW-RRG{@EfQ} z#=cYc{*uuqV+=8FzV5fOX?~@X^jcXHRC6;G6ZI8f?i7CPe@Rc^u4MaGis_^TA$4FA z?sB}kEj(~41k{aW8xOlRy>GA^bw1lBsFP;9*M zanDdH!sBieDY9+HdnvNt^4U27GY`g2eNS}|44 zV@8Rigi(yLyvkmsta#V;crwGx;%u+?OxG=9Iz0iqjI5d61#U<0ca>*{K<{SNW!fGz zc2(wI{yaHr7>EbhmtHn~srE$lr&qEI31_;)n0u3>LMceXW1cphaVGPxnzEmPKepoE z^yfDuW2lZDVpm=y#lY>@Eu>^zCQhxyua_Zz8JjEK)Y0AZ* zrrhUK8Y@r@;AilS;DQ((>s;5$q2qFq#ISt((4EKeF=#ERv|f$-KMo5ab`X@#4-zS{ zzSBn@_(^4HG++};8E4@x~fYGwDgHtxfS&urj73CDd}3i#Lc$4-Vngp!+*MVSmfBbnL- z@jkD}W5^^~W(#Gtr11rq=1mRwsXGGi1;Olxk-y56taaDiKl6GFdQ%(XA`S9<#mc^p zlmvzCBnSpsS8D3k^yO*bqV0lk*7pwGf@d4stY&o`x{YuMd&vcCXlJy~1*;&4lgWDS ztXvJeI!n&sp~jmYsAD`$^V==2lM|EW>olu62C1cEwGp7Y)^R>)A_^v%3!;Fn4_l?` zb~LQdZ$sC0* zD`mNHZ_@>dWXO7Pmh!f(OWU!M=r_GDD<7$=dk9pi(feFW8QUyturJoFc(Lu%=?kA3CkfikaMP2-4{$;8>3^75lF~;ncMe(Jm5UjwhgmeJ;pXXy)_$y4h zsb11Wz^P?x5muvP@Ixd^QjVKW7VbCOg;#@JH)}@tE>=0}(+u=Xie{x}W6#a!WtCB^ z+{Lyyr}V%pW~-+n%d$0f;~(`6_#6&`{!4BTG6#j4sO8|(cv1I1sjyg+RNhOeGiBZ^ z(dAq0&X`BX%v49`W|)A~(Ods&`T-eKiN*QRL&U#Yc6X$enEH(Zgxmvv6*&6obZO$9 z%gtGjcV|081NQ8>sok|iq$ldcJu6%T2`&dWEd*uFE=ETdJ~m*>%RI>Ac6n zzf6;pc&XFT1!((g@ZWtMw;5Wh+`gTt)b-ZO`ne}2OByr9QQ|<@tE=`q3hakeU9-=` zep_@t=YCb3RkJs`z~iSit4@3G>$`NWnusUzUbX|>ZuuUOE~wG=m6Ww$XQd*_{RI_% z^kyxxSL>XU(<8C?6xM;+;&=|6{8ZmIh%`p4N$h3!p!>;2)FDSbY%PmJy?Y4%s`FC{6AhSAXp9?ShRjPTx%<^SY zKsmGP-PD+Ka6NxbB{@e7R3aB@{Q4zT(vzaXjSJGm`?@tclX=h2OKW=F{L0bf+J&4p z(mtNjw}^&I>@Kd^t`ia^33XBi2jdxUozlqHsmtMR0o#);q>D>eI{WQ zCOzbc^wo=zE2yJQ*B?)`-?iIXOSqWIW$i8AxcaQy7D^gAmJr;W-+&Md^XW6A+IhCj z=t0v;6wOuAZ#ehvO}c3foFGMH@xD>) zV`FJda&tb$>#kbgm{fSzJr90*?Cd`YO+hU*kL-^Z*Tp4^%ou5H)Sv$rJb3->?@d1! zNo(=GkG%#gty2DZV5;a6X=rEcbPoPpM~lEK zpX9uhI6&_yWL~lP2es*{lmux|lk`^2wl(EqOzCmRN>Z1Ytv&Ev6~arKu147waj+91 zMx;|5YQYXP)Ms|D$&{(JwJpO3$7Qdl;@}m zjM5}%1ZswaL*e%O0qNk7fM5ciEsGbxS@`gR3WW5-Jw|H?J_nFndarS0k5jl zT+;={WD@rTD{ndz@wfPH%7RDHdHC($J@1i8V@L+jNh|v0T9y$L5u$u1VR~qS<0}itp7;@0daM86;;WvB=DC8Gt>WGRA%8OqUYxL z5|x>mzeHtD_Wwsz{<4<;|B1?MU;q0*iOMz>wk}TpEd=~e=J(%1K(_yV2>9he|Buw~ zOEzZa;QF6e|4laj&prIt@9SPItexY>3-JM0D7IDLwJGnRLPcy~1I4RZ#mmkT4kmz1 z(puVTs;rVjrBWxqB&Cu+EYH01UwzZp#vf1C;qzzKBmbd~!lYDZ_G{hCh%c6N19Wu!3C!KiK2#Q-%3|GLZ>C0H8nu zU#>peViCN!kpqt;#E-c#1R@eh0AbCVF<6VA|3L1Va%eauBM@4WNj!yZ!L9$=rG~En6VJS zV0JHK2fr9`3iIUobZ04oEN($M`H?7oePn`wIDzTLfWopc2ftg(4H48o7X%UN-fRaA z0TKJiys*2g7G>(c)UOEy|9*ie{?vmk4y!(2LUmHdgCP+?Lj?=5(oXs)T~De`zamRVS)}J3Ip>;1jQU}r1~Sl zAWISItnn4*bESe7>^Knm$;&>7m?)|%*w4KcE}cl9KvxlAzYDn{bWf0jk_v|iG%hv) zEg9?wKZv3pl-ai4ape12ZdWEi(lx#e69BdrdjTSGhCEG_LW=e(^4$;2O9a$hfze#C z`_uL9R+NMU%&!}78pNvv6<+8j`%Im6{(1_#-CH4rvHN?_eik&y-RbQmr4?NVkz`Q% zCa~4@NLyi8W>aLwaAmdwyk2ZdynulP^@9qt?98gSg^hv~6p(`oeU1ZpNWt&tV0YPy z2tlOZiEfKE&gkFE4KBN058ulX1iA&Cj!9|@euKGx_BqhTKn#PvlHYtz+-(wnat3^k z-hA#n0h|RV`v(uJ6R)eEKueE(O8TZANK(D7Io+pAj5<2e2d*XLd%gxf6~w`}PrGVJ zoQMT~l3tiG6JitxB1zya8b4U+_p>nZ3sXbjE#cr>ZTg#18ZJEOf<&HvmoEJ>74lJ+ zx4H*+i=iGN6&*d$o}+&MR$m3%3kvg0&iWHZ3S@Z>^-Kb+w@yk~7z~*xV1X3ka&~=GU!yJWqF3Kghv@?Y!atTa}$%wX%*au;<7>&_=S7hVh2^)!W~m3 zcu!;K%n}m{JigXct4KWLx3b;yu|-KQ&A#*J26Phs!Iz(2Mc$(?Mp8PSk(uAj!l_aG zr?I1TLzXU=^#_n~39D4866i7)tJD~_2Ho<*q*S)HkUerASX-oDQ+MK+6m#xsMOW!X zP#A+}G(w0+!fdIn37UIN;Tk0Ll}Un0eXpD2o>jv zb)02t#gSv*aw(HR)gdisY(^I>VL!FqV>Kw2lFE&`!3qRy`F%G{1{G7EZzNN=_x`=Q z%8&?)^;{fyHIgjxQHqO8%58hwFmq|j(npWS5at6`VR1(nZLbD$Cw=ZlAIc(*J#KJU zrh@mn`A!?K9zADYC*EFC)l`z!UAPu{bQ~^f2?6`0{;{q2?nmI?rB-fhEC&TztNM^u zf4*}RdJHU}Os!%gfeoQw&}ApTb%y-=>Sul(9l_Oz^s>v^m3HJSkm|!q+OO{IDyJ`M zU1ZtXK9mk1eRb zt*I^0`X<$7>>#kB?AeBB5T(1!k{{%Aruv|W#9hYd2MWE&P3^++y9tMZM;r(bdb}2JCp^Dk5r^nMa#F5c5!`ZNcf4_vE$_LiL z&6gjBW!a7smnK40tHj+G_`On6mwZL0KL+at+2x*$Kje@f6$a%eQDU>HgJJ~PM#ej~W%+Xe)*rkj8L zW%^xEzYwKvr*&<{Za=?MrmXS2GkA}pJs8bn@L<^FH)@FXPStm4&QiAO!bBTO>jNEM zETvE%sa8B3ak$Y;(GyvM^*mAP7F{oCpxpdU@Wv*xTHv#wCIumA$|ziGT)I2J9aGKy z*L5HV%D1lSc+C0|slY|V?;6-gn8PujB(PGdymaHhFk0-CS#9^}oc!yc{7f#cRBV|Z zt5x0&@hyUKU&g(Vk-PFHNS|aq|4J$w;(ORs$%fK*huPmRWGq`#cTziaXDI4$^GuNf z$-Z3^j#{mgpqJMrEOs0}gS|rZmmlIskb@ul&h<{PNZ|U(6e>4{1v3DokoF@|l!THb zqGj4PR6H)^(Y1x-Jn>htR~n02B_)r!$F+NdtGTjJ_tCG<5M)sbZ#v@CEhM9x+8g|D zD|`YXwyFDG(Q&11fuapm_eI_M1l1iHDtumNY(uO&6T<(QHA@TwF{+w31$^S%8k=$OcVK_q~%4FYF9d+TmjlLI1P6g-2Y>xHRZ(^OQ&f5E@u{@r7C&cyT2NZGwR zsS?B{Y>=K11D)VOaVI_%x1J*-5$oYsey5GvH`!PXTDG_5J?~7U*cDR;Q7oq>=XLNk z>+U-NJ}ItsoDpakHMeR=*DqHSXJ1xD;h8i*wyTW(2L_mh?Foi{wOXJr^0oMVQAPTu z0j6K-_@0z@ZUt+{Eh}Mf`yF3`X4YW_VM1fyWtxdHjAa7hEyGkG0SaB~mGm2vR`Fpx z0)1poe634$C#}ZVSXl4rc;vkTJBD-8l=J1TifV^^k;fy2jp{^BJz&&KR8hn|>iykX zm2e-WgdKPmKQR_bEXg4=$}AQ_GSOSn)}MIsJgao5Rev-5+nswa)N=G zA(fO8>6Y&9W&ouTkO7nqK|(sDK?S87L8QC8`yKUuo?G$#zF*&uZ;oS*W9@6Ny!Jk? z71v(pg2`qo81x+`9r)%kr7%W%rLCKYDP}(#it&?{8PTUCaTIsNY3TG)Ko~U%5VByq zp5+q7f1UP45GzV-J~%OL#KM=}e_Xgy>vlZ;0Z_f(Hymz4=S4DELnAK?T{UbVJ@VFT zw`4X%wC(BXBcFUH&=})mw2oWQ<+o|^RxASFl8BD;hSS?jRC_-v={M= z0wz6&PKCAlW%nn(1vC`^5t-fJxJsEXmK}#q5YNC*zcX^LVvx-R#|^5=9NrtqKa2_; zeBohmYGLy}BPwUk7}%HKAN=Zo=Tc>b`GD7NHvEo)a9xB!tu_`{+9vXC-=>Wz-{bN0 z{csEJhxFOvoAwKIs9u}$chJITAoW(GlR1HB*K&N6x7yFTPO_GsJ)~ah~&Lj z0}#(hrF6I6d|N>2UYk%T_)S4;z}|T{o#`pso#FZi1rHa}%2UDxkBr^*LcjHtGF+Q5 za2DuD!lA4ikv!O{;7#trA-SIke9P0isIjPl$m_{Y$5wczdX2T$!e6obMAMk1Y-cKObxr!~7fBgJ zy{DP`wqeS9`RAgDwk?PF-K4Hxnrx1g-q5pI zX7}9kVa|RV6Uwl!*Rpz3w~54A9_S20f9a3W_LvfmZwj}=q|E!kay6hS!)A*FV~Hy*Pi%b&WIAhuOh>G+3_F3<~a+r4L$Csz8{XNbZbP7O2d zR49C;_jPblb-!VX{PIh7FNd;W1Aphc-p9(sLc>!MN84zyj}mGWU9{qUq8Cm9`u#IY z<|fHeFU_hgvTQ$3S%w=rW3b&>USZ9^MRN-Yi)3AbvxD;rWx5O0iG|o|F=sGk5Z&cV z^XT?M3yD)-UOaKbWEUV>^SA2Ev#+`vhXMG$mY;7S$s|&G-M$XGnCP+6(k0j}|Lg&s z7K2u!R*^0w^^<(xW?^_nK*QI2owvW$Sx9bBs!@_1&J$BT^lX*Iz*$C%c{6eC0!YuQ zmn@!T75#vwz|!%tOOcqPU4LCgsw_hBMpIL4t;rn+ivd3k*6dIAZl;Aqo%v>8KD-S+ z(X`jd4baEvr_H36`w)zlQGMrI6KnE`CyR>x}PE0H6t2SL&x!m`ukl( zSI_wqEzgnjZnUrFV%;)3Y>vhxh|4HynMQ}|X}&Yd16ENf`dv0IMIb0p787X|o%ym4 zbR@EGytpsPKL3!5WHIh$pOr4M4cHUrvio_$dg16xfl^C?ZVUooH)QuJc=ch%DweuQ zM}WuZ>;p-|bD_*?zg*Ta~|)# z%$9P;1C!BV41bxEMm%TmdxwZDo$D#PCY>vi(v~J79sPT{;g_Q zoRq>CSH7yL2+MrJBb1^$*-T`$Y~XalWO_*7uutGI8mv5Pz4!Q6P@d_nWnU; zBqZP(UTl(T$c}qUjeJ6Hh6pEu?JAHtsC@HszFp2z4N6tLm06+x2!B2HY$#q+)#D|P zOZ6Heidvk*-D2h9yLVZNsn9~y?0I`|^OCk$0Xfm-S~fSULimfj>27q3ADyS3RUeJG z+6*)^Q4izMl`1~{cuz+LOpdeItLip2BN!x~7FI0>uGqygfQE=eq>|Go^%q^ewv!_n>MNF~{N5-GG-5I|f?ZWyz zURz4|K9KLhuszh=1#34VvS8)jJV?iNwXGVbDa7z>lVmjI);a&6RYC#w_RFwnB!-@8Qc$up7^&RuCbWcIP`AZ4qq? z^ZXVC=|aG{&V&&5YnR*bDlgr$qba%v0UgQT1~iH=$}MD%8KIz1;^obI7p+U3#fKV| z8;AH)b=v{&H0~wz^)k*g4RbWY_IEutc;B|EZ&z_M>~h^zsz9`>SD>|z?#Oj?7=dd- zE>a*7&D%t*@x6p2UEg?)@pO>oY>iXE@%)$yDbmJM=5wdTNjPtaalf@tZOO#ltsKj@ zkw%GJ(NtRmx1ueUHROxGx*Z(d{BZwl4?9yf)U4giD2-daxm>e33STH9kpt7_z>INc ziV)PE;}zO5gN4uz{gmZn;Kj77@ZvNqW1SsVKZ5&I(bexkP(%{?&h}{b+qU$f+fU2J zOssd5@HYcExR6%&KDA&Er=b^7Bgi^x?bH2AwbJ*2aV`dYvEXXM65>V*ZjxQ#Ng<@6#vqs>|{LX*(=M~Yxepl~w{ z?4aIhd>mG#C!cn6S`Vt|boRkD`VZc8w4H8szxc93A);-bExSoDH-CekUBj?66dTd< zW_Y~akbb)vXVI+6ApzFvvVoR-j;%U5PFMGAGcH!nZ{-nbNtJ;xragjp5ce*B>g($k zea!SGUF+fqsqNSD%O+$3S+@ud-k^iLq}o2uXBT2J2jN)Z-Rlx-NOJ??dltPDIxZ#A z-g>6K$9e`+Blpea0^6i@xnDlFYI}JnPP4c~YBnqOb5v;sOaQ2flnNC%raOgh_B#4fJZE}y)U3(h)B_`}iKb;J8p z>GZn2QUD1fxe%UnC2q;@fopV}kvXp3;l!eGOdp~C32Ipzg|12y_ihZxJysw(O`Xg< zFQ#s&@6}OjO`Xrie6N!gQM2pLo#i+hbM7X#DdwxEO(eDIjlb2Y)j7P_=1Jdwp`Mdi zYLXCFhG@>xe5XOoE$;0ftrzw6a50g6EZ{^5m;OGhN@UX6J`dA7`IMN=mL4TUL(C3% z9nh8KK@tso(?tyYlz#tZ0A07oX|HxN`}Dr|Iw*M<`b6xAOr^%^S&mP^j#kd1n=i|{ z5fd6HB*4g~inAw1wL|bz(+=~m&I3rpdstiEo%c3juVPM$1+K%uC@b8@_t0uO zvhqudfFc8ZBSkFT@({N7vp%q&c==#1F5Uz**l2y4qPvoWtcd=W5snt#I60P=oXI5n z2;!^fx<_e0Ud1~WLDxwk?UkhP@8G&m;4c5BXLnklb`C=AEk;6_Ht%%#)dhAaGjpb4M zt~esfHGJ{dItR%z_zq3dyEuTN1fBSclKO80I4|vTR`=w2pXe`!*~x0F$uRg4JJrA$ z?{?jy6?)xO_?$DX?t)Et*JgI+duGUuP(ItzR=vH!i_%W-7_mOacTArP}?F0-{&JX&_6BU*V;F*mqr zFJ31Wv-YdqY9-Lb6l%T9@+A%7x%mEd&=AF0?*W6L>@M1P^owXnk^Oh&e+I67GuuPMD}_&r#ZV{2)S@J7m_k zf`+%NJg)OPWX^7{OeFTBf0wQRJt;ADBY%l#mgUk`hA&*mH4UJ05i6x$KIiU?3Eg)F7^bYWS@_eFqTId>hcC^qG^nP#e_mP^j@Qj;j&bZ9l~@uCgzCHBne zKaZ(W;A7V`@=o@%R9>R(>p4zDyt^1@zXnsVlw{USe#MYB;gPk1Be^t zC56Ix{~!29c~F}dfBHtvoS;`poUM!<9j%=W&HiwY{_uwW?j8k$kiMCMnh=1!v#pb{ zk%5(ixv7~Gz{c6yz}Ugj+|-7F8~*FwuN!vy4#qZC#wJdHpP`>Z1_%UTXlre)4={7L zGc&gN4;i$hmA<1Hawzj24#33R#hA;=Bsz-<@pC&TDvU~EWorX)G`2SX8A7>X0mk;u z`c|moj2)fKZEcKfU2RY_)qsZ#ywKkWsUHEP0MZOlUVtn>?jLSy1%M(z=_fz6DnJdO z&Hx7jG#TKiTA4c-I$N7q8M`sSp}&}`HGWc8n*dA!WGGBQSm-~ba{bJX8T2Tw@o$LsLZMb2B6mqmqf4a|f5 zoWsfs{^f@Th}#(28kyUeGJrupH4jj>Rk1-e7?lw>@0Dl44J~8N-M@yVqWD-{0ZEt7 zf&fE*C6X|AaCG`X&&>e(v3XVhKNs96*SMOwk&~Gt0~qDGMm^d8Yk|LV`>oDDsJVYs z{vRf8)CSof%-g?w-VAsEWNQ`!!dh9*b_PgXzo_O$6#E_HGd;5(9^(k^OPG~btVM;| zBU$K8sV6u=7pMETN%K_&iRDrzJL|Ub9S>KX`TJBVD@pfTM-l~HUp15?*A6$x#>eM% z+|8}{1+=tAECd9FONJZRD_!&sNA6CR?{7`DCcYPV%En*nbC>E=q0-M^2(flCevup_ zr-Tn5(OsE+Qb~Ga$5W7ocDcoI;lTm9QOsV;!D5YN>T9>TB!0bdRgGc2a7ReJwElp? zSh~%-i@c!qbgrAxD$a22$t4Zm4WX#Ia{;3FBjrI{np`7$U9>4d7f6VZ*ublXQtxq} z;?tu3vAzQbK3YyAAYFlKKB5#`t*`5{&XObX0yg_%_rkqYw!e0(roFIqaiFmLyzsoZ zFM5|;i{dj|srCN4tV3$4aQN7u{V@$u)@&>W!3+<&1nfatLa<;I+Jn$7*1OonXlb~u zFtkD9YHTv!PoEXt7@U2@YP5+hz-W(N1)}Ap_p17RtiA>m^^ny$B0zjHC^mFLov%ZS zdn?zJS|>ZPGx;6`H7^X#xu)0fJXjXe+!)wfoy1rn}oU z9f;bC6#_NOZ=$4xZ4Wn=Npv--Tp4Cd{ z-sth`DRQ|sJhu8#(30e=AAFRhvL(~wugiDCXPNmZYhdct&__VBJa%I^fls{n7CR}l zaj7E%fO~1RmOk2lAK<-tfXm6QNvcllY-xMCHkceGF0A={cH#4=49Pk6o6~3Af17F$ zH_|c(^cUm4t&P(U&U^=RJ11Mz@oGQF`B6~%7j-;8z7P2?>OjzcQTKz(9u@UBRR2YH z{}0vwZy>{DfO5l;jVKy>Yn311BCGokxLh7xQ+aN*C^}PYt&;ckDI;k7QB)f7jq}6R zZ6>#o12k&k$W+s{k7MUN`ro3_IhY6+2iOB+l=h;d}#Im|4-}mHBKW^B@jKuFByN%t> z(GyVT(m+_dyiec1sDt0)J@1~1-MMgw$kvoFsHmtV4%jQj`waNJW|;SC>o3*5{w{5FF0eA7xEz+@|M?*`ei-RI9tF0!e;czX z6IZWjdXT2JYe|g+R-2cy^7+Uf<+^~j9+jjat2=^#BliZD0CT>d>2v(4V3(;6ApPOR z(lRalWW`6rNZDqP&@EG+x(~3!S%TRa`ioXpTgxfj#fQ&f_~=9j%%pl!+DoL}7{lCp ziw{jAW(8VlG_iD^ePRrIzJllW*pjxzeYSeGmzHenP7;*lV1Yq zL99Q*=JrWere&ue>8CAPMR}~pj|4^SMEIBp1^Za8!H~f)5}3k6pL9mHHcF2#Nk_d= zbIRDlj6M-UxXVtixv=GCceZKAH<>*z@VspXI~OIyg`jK))e0d!FBFBKp`{sVk~($# zJ{!B4p`!x1JG}Aii6OWKk^7OD{>KFWEx?> z_b}wPwhAMf=Wv6KMc)%0A4Zm0CR)D~4gYFa&CgF0=$h&y)a})Xh~VB857phS5|-CV z;+cFOG_z4S?z*T$BR^@lW{A)c^dT3{_CCBNKhxlDM*n4c56&VSK0aC-T;9qrVab+>>S)5*ngmZ_?Wl!(LMGI+D;*uf!{dvzxvuBIx8}atVrQ?0~ zzd=uFzrZMV@yS7r(VkRad}_8xdi2!pbDpI0>ohD?j~@uw?EVFM96w41#YX1T}p9s3L;X7f+}&SMJV3IF3rm1yP(6|#3Ohhi0=H&1*8(0d2bVk@B4sNM8TGFMSMy)uTCD~=q@*4>+<&-h%W4y&0XuxxPj(N=Mq9{Y6*wB9Bzv??An z?8n_D50++%mwHuYI7z3_-BMZhUXO7TC9tGDEY=wC^+@kdxITy@WJ&#mDZlJ3`aX3$ zk2O&3jcvl)riK)Yg2L>v^U7o{L}0IGdW15wIvOCC)rNI}Nsa8)bKCn1NZSvJniKd` z%rY5vkmv}__nZbZ+6ADuW5v>QxC>A2NN&GWA5_TqHzx+buxl*ap89^$v=8UgbPTUg zfX5i6B@~Dp<43SgI?5h%Zel^}7u@___elFCrZ@EK73rt6)w7ypwJ`@)AfnMh@l|+6 zeW8YVqMB5q#{zFKp-tS9NVqkpoK&PA5V~3Pg@atT zmO6-R=L}cFHEc;ucZ}VdFx9O{ z!vYAbDtZ&MZtk0!)3FX}ap#GTUgUH*&2~wggJy(1mrWN)r-iU(O6hWe3Xpqa@=5IZ zrt?7~bmX$3^WsqDps{k~a>DrXlQ%K1cbX?uMjcsBN|`c5pNvl3i0cT+-y-A6ATBO8dQ_*>Y8u6B}{}&FB)7JuFOKh zi)Jo}Ow8xE5nix5@nYgq^#U<^UB!=()5CSH&|{QqRWW6PNWttxwKH$@aNF&hi~aYA zq7rrK>YE*1CMwM(mzHw;6FX-PT?I;oR{fDfVHPSJv5!l@n1d7#aMSL5h(qH*!~Sqe zh(^S)ML~$RuiT*};LGDnhnHON<_x#yn?I|j_8x%H9_%YyIt$Kk zG_E^=5YLD3oHOryyyhk)XDuc~(6|}!=B3kMsWl1dqQwi) ze4xr5d0@~@cxYsEMuY*m>@&BI@LnC6gKK0%p@xHf35IK5JJXplzFLvD>)Od4rx>=| zx&x|~d0OzBy;SkW2=-&IdlK%-ZpeYy+(0fp-}ISkg{e*5*XPPspV#xm>U$5^j>Q!FhF86BGz zLw<-I3{L{nx!}l(m;r}yM|;bNWj-6&_0$t+kDHY9QDEL0qNwb$zU|`B_@J?<^s>I| z;*jffa(LwOp~)q7>^Z&D0RlL3ncjIp#CR$U8M%DXRtA~3mZ+I`dbiy}OVqbMveZ2g z^OVe^U@7avZBY33K^pA=_F9Ip2X4_OR|Bq(Rp=!;r~R@daw>!M$M`|(%G%2nv%qt8 z`~d!a{P5%ApGh?6pZWH`;|B-`iOlC>MIEXoV{YWgp!IWF&+yZJpuTbck?-$|01z;8 zHXnEm!i^*^P`nNXqgHx=Nb3U1{{%w|^sYf5$h87m3MeY^j~{~#1K!U75Xj35MA8>B zA>d#j996;}ci|u~5Y>!7WxNnx)bQpH8IYU%$4bBz85o4B_n$H#40W8?6&Vi%wK@ev z{27sln;SJ)`%}gZ0bb1z&JEA?MVOJwUc|d=u8p;C!UR5;=%>9=JVPM{$ zg`jHq-!fou824{l`1$;Sa3BPJHA6Uv8}^qB42J!d_-E7M++grkEx;il)XLJInt`L< zt*e@W^CEcuerb4lelOU`LEqfU*a0=8W&kLedl;h@An^c-wzjBq>`>YLn2$@@nAoD$ zL;txDW6%-+NpQo(#6*B%u!mrDe+!Ei-Ie`(qH z9O|Y^b_J60RRM;G^Z%d2?-EQvOv~wD+2sTu+J4;q$fi%f7R$!-wqX6Z+t+Zg#F0+0*EtIG66WTaymP#l52NP zhC+rLI8S6(K8lw&7DjuNdJ(L8pHuEMlIm7Es)ICE>L|$plcFIXT>6qOt3c{{J$SY0 zb=1T%3TYMs#E|`R^Us9{0ToNxG7r{{?I$x-5?S49C!K2U+i`#v1h{GYe|DEYkL&*H z*!a1woT_!{AS#m<__r5y(VdyRL{DjMJUoqFz^}J=XZ+ov|D6JBUlLkQXyy3oyFlAc z(jhnbm~LdZyHAM1i)iZKVs{gEJ9OH~je8cm5Bxu1|3iSLi~m?ehEZTV3D9AmWru@$ zC%0acnuLgu?bAXelveDLBW^aLT$`j`V-y#-dPamQ*~g@Y9F6spv?tTqRXzI!{iA>A zlY#={1T!%+AeYc40V#iy%}&H16ovPF3YM@a!@WQ$OMj+`E{uuYsf#*O$7X7qv`ngR zFHB2}6E(9Tgxv3(1Bc5pSrtkXFdRWEQoa%p$n#tgBY+FYNx3DD6j%yE2zt{o$fz3_ zAnms-r-zMe`i?!9w?vRsBDY{>1Q(=ej?;BmCWew$Z5!rSg|vSJfLpCG_<9^QS3b-U ze`t2^)fkqSo}s3nfO5t{T*alzA|@qQMlG&9M!gSIwecDE3 zoGS_O=lIcNT_#_=fud`ZdJNG4F|)H5%>fEAG9WM@Z(?c+TeF@SrvVFH3T19&Z(?c+ zF*CDN8wx^~S8o9qm#`%P7PE_83IPc*GaxV^QVKpkm%wuY6_c}G76UOgGnX+20Tl%@ zGB7kVm(eBxCx2|VW0+>$vL%|fZQHhOv(mQTv~An0v~AnAS!tt^_d9#{>F%@pKI_kl zh!JB%#9H&2K~AisN-u2cU~DGgU=N^YW?*Vqs$DBvP|9`=>sl z|CS_TJ-064nvSXcopU5yz`9PAuS07hKS`~Pa>{{b7>S=oC2Kk)yAX`213ZYmK62b=$lS-D79d6=0hSpiHe ziOh{`UCjRNmj)QwTA2vjTiBWrG5y=6Zf|PlY-?q2rsUva1^BOd(KEBK|3^&C(#pif z-ps{?i2dJbX8)A`KPAQOO&m@A2?0Y>(w|9=eRe>?saRx+}(2dH^E{%_s?`f&fU zng5S1Zv=3*@*vV-Vqjuo{s;Ka^WSfJ{~@OeaCWdU)3h=LSpMIPA|ehRMBel)+)PCD ztSoFqEbL57MBH5LzW+1b#MRl^%pUNsKjxoS{@XUU`e!a?W*%lHFdM55CcGim8QGbD zdVkFP(P=TQ&K~eJGt7-a#cN`la|jI4Mw+S%6YrlX*B`SA6i;a#p!N>B5AN~E94;(& zM^@S%Hn}beei5Y-dmZRAl=UE27lMq5w9yoZV}ab>uQd#u5P}02u;otOs&$tWFg@06FJ*J~BltJerwN!(MlI?kMQMxTF_O#CD zgWh-gtbrN0si8}eAknHcNkO~YrBjkM@kugiSAg1{E_W7~ND<9w*UimCjNQ{k87C1c zN-5?3fIz%OvLsQTNSeoTLWh$nI)x?kWvzP{{!TVa5GKQmN?(jYOPh@jP8o^_d6ziW0Ec)ktqWl`U8G$u6F~cf6FTo_?)Gj1*SDw3s@t zw)JpncTSfv>~QmVjd8?+j#P-)Xn)vaFaxxQqs+tte}h*BOYOFSa7A;gF}gn&!s*Xu z+ZjM!jbJhGm;A z>L|gd>j(oCB+sY_Ti;-ej?lMHdXv#ju}J$S5aN4kgVm5dBHTe4)yl3-7)|LKO1CEB zVTQirP+Y-hh=ROpozA<2>IIsrtUz>Tzh7U5J6M{Xe$|7%H%hs>)GQ} zTl{1(3mH&UwA#)|5#LFel(%*daBG&PK?cTp_3RH3!i)-B!amdBn}1u%xmN}fFm+&A ze$k|7c@Vc-5e*i$@21p`w@mC&m8$@@!jR=%JbLvx@Jt&o^PF55UIF7OvL07iGd3jF zwxmyI|L2$*-!Y8O$V~bnF$YNJ9`G+3H5T@k|CqXPi0j;j7-PMkj~l9>5pL!zRw%Nx z8IqKox+sbQFB|s_U9p zlp;+N_h95J;J6ilL4I3kD(d?bO%Z@BP#_QpoN0v)uv=qZcw)Agq0hrJ;H`ZfsuA& z4X<*&&SDQU4&v5jFV+482f$WHnXIOK7Dv8OJ)$@6B$}Z?ro&_X)hhLpJD`!Yw&+$Y z&VSA@FX+2O7yvwRBHJfISI|cKg%_ju-IQ-g!X8#ETz`cJN2aftBRptKt_F<~S*l;F zw&GQVQB1%EH}f-?8$hDiZ{76Sn`-jD#GlUwhHQ2alw#v?TNo*xKm25;WRG3LUn!%T zibumNaEC?$@;*aVSQ0*B)MCCnd=nD&i@a8Z~-4Y*U)3s_dCCgTAS zx)E;i(|=KrF=43&6`ZySUVnCW4PcvO9vKE@zGoY~x<;Zu0+hbjuMwyjB*x`aHX8{) zT98ToX5IDZ?RaK~XvqCLWZ+WqG3SgWL}`LQCCG6M+nWE1^CFVG^=_X%dYt}ao!ECf zk)yU2J~zZDGN*<+v_J=gIh}-6E-TH!r{ExMcz+WP5xC)gH}bP(;lh z)X<6LN%l>TuA-^*M^!%7!GZGS)$YD=9i_G>JFMZYWigA5zbA~v*8byw)?BKtyO7Tk zh+cQ^;ojqrRDmS3Z5^z?eq8s9cxfdIubk?rC4UN^QrOL#&d-%*TM1NJO;&da|2XQe zF@LyqB#0NpIg05TRT-<{)Jut%qo?mL-Fn$cIRWDDT3>V}r$#d7Pp8eK6lz;<#iS6u z^5$N{UokFUf$tv$SR6H#873KdHMR8`vG;eD4ZAV0RwX9LLHItT`oAd`H(+9vaKXu; zR!3h3Xrj)Y9JgoMjW2$9r1j2A+N%89x_>NxbP%lXQucJ(8Z`y!yx&<%HahKW$tf>A z@XRXY$;K>Br_)eC`^fvd@sBzaqKJ1SdWEvJs(jQ@ZcE3SL_S=LXCv(la^Ef6@RyA zRIrML2g+h>=fcm*UdF@07wOfw04Qe2vbusm+pj*HzZ5*i@7NDWEJB0;KSJgMi-1UK z;xK`+beXw2$bG!uhFAdO#$TkQD?+&Pykk3I8&{R@WVz{g+Pog5eELePDU+&5^r#kw5rP>3=I9K^%3bv|O-m z$JN$08!uOC0tOL(=lb;<%fT{6G+I7~e|_5-ENZ7U)%AHp_n`BdN5O*D`m{t3h}xB8 zSD-yd{j}r;-#IkK8b2EHXI+Kk(Q9n_#GoxCf&Xwaq&p-H1?u`!^Ht7T_kUCsz@vHT zFh8~EZ{ud-GHxh%)_c*fO|so){3&x-%2n2TpR;>HggmJismygLXpIfT_|;D+5OLo} zlYYTR=g2UX_IE>%zZjdH?U`<@>8z=Lhu((w2#YHswnd+fHK%Oq)zJF1r_|p5lBVgmO_p!I2EKL>Leya8^2G}nB47!>o`$L%4 zY5bT&n+3l7rDhUF|MQGTbq_&vi=esf=3&WYk%jp`enR#1Yk&7 z1QZ*e$ZJj~$2X%(YZ}GGhguG*T8754(!G~Of-WbKiYB=9JVh60Q8!aPoWV!XceqHfr*a>=h{0`5|}95>2#nzzE1*1A{AQxEkKr zt!@E>7KO1grjJXz5H8cZCWzf2TnYTevl(&^tL_5TUw|uYVT#((kyu*C=xJa;e^|9y z$HBWj1IRpsWVr;*&iDiaoMj(qi(IWiM|-Y=@As}LDzE4^$KzXV7Kl4SkB}c4%<_9rR6_;Q4I&8J)*HlQu_BMne}CN@mil@0*ZSI^wUB zfTg4ydBQ6{m48;_%|>{5bwWCZyky?(VXJNo_hLV}{;DI(7*xi)^fsFu<(d?0QDz`3 zdQpIPWMBlN#vc!`lfabnmx(o@t6Cn{{=C;k!cg@2xDxkXQYkj=EZzkAge~-$trdxB z>DuZ!88DOJI^l5|!Xo;ebaB67IDI71 z`uJ%SDap_Kh_Be{p+fAH?*?~w~R~#Pa42R zNB;FukAHs!>aSUKNwlNS5D<9F_?SO(qFg5Jq#QsN(3Rzp`-kM*Wm6V%Q!v%BdCAz& zo`q=S1*8L6Dg4pRJfnLNg6SSLu>4#RE{aKbKRB$S)$wiyOvq@dnkf&DeOA!zj# z!++v4tJVEt`z^)v8 zwcHxK#l{d>o3^^;nQ*;10kXo7(xjje^)JVX6^cU?)5AEzf+%Gt%c5Shy=-(-o@!32 z*yH7f)xmc1&GRIikP5b!{B*;OO1Z1<41YA#dji?W;_A{mkvrRAP_#jfS-pW#CqX&M4Kb4Mjhj@+tk%iBQiqNm=T$mlM~)DhPKs5Npk8zn#=&|vS_M_ zAFqZlEDQ70vV?m*aTs>1?P_{Sds~JYy?=G3 zM~d)N0c{N>q*6r7XqEJ7I2?*Cb|TTYo2}tV)LTe+^k1RlzonCCaw7U(*I?+T8JJEe zZ5l(9W1vacl9Jwy7?;rM#svp8~O|>=s zE^cxHI?gwiMXrtiPTz~v{6DVU1{uNHZlh$EBy67!G-%h6lr5=wQvhwQ^ zFMQw`7k5~TH(*#US zGUBx)Ku=dh2emMVt+b6`oCPk+nJRdA@%q46L9A*oisQqDUWqejynlT7b8F2$N^`Wy@qo6gCjKmfH; z-F7LT0>vVPzye6piht_4K(u{Q&2J(`kFScTv_Re8gdnU*%$rUI)P_?eB?OZY`9yd9 z6L?-xLN%dtmhHZf(P3zDI4Z#Ob5&b?^de{ugLVj&#~o(Rv`ACC16_{9rVA`c`TI0V z2<>k~mM_aPj_u^Rb?PT;uKnbX0xLPmJQ5y^u69R6XQJ5B9e-cjYk_ZW7|!M~2OIVV z_)I%$zZ>JvGy(GOKLf(Ky!QxAGMO&+NuufugS#(pNOmC|LdMz6nPO9?9xlC(wBdfi ze{{YEyJ(vn%i?FVwlzslp%5ya(L7Pa`h8oDQ9s{xG0&Qc5^KOWx1)Pz57Q= z6KXZCi1Yq%D1Y{lYgh1Y;Opy6&cAkj7DkDuatQp zT{80d>`9G%%K~Y71&za}ocLBo7C3d56U==G*eP_0WX``Jnp2GyHX(vWRprX?57)L1 ze69B<@sJ03)mKrP^6i1j(P(lD#RAuL+(7#V^3&lLacKiX3r`RPhpK=7Rg( zb;l~mW^8|_NW0*ee>|=?mPPexeV^WZFsZ-REq|d0+jpINac5Dpd@vtViWT0mIoBdCvf|K8qRpbG7%W28yh`wru`l zmw!SnGa@7z6^@Phqwx`PVBK!T2yW;k$(O3EOuaaZUB|Kb_pbkuGV?74W}Gz4ydMw+ zInrQHiDcFl(TcjvcXQP<-!_W{>y1PdzyVj8l{R^v^Lic|gP6i|BkMz=f7#!_VVQOP z;mhAXvV=u_YS*3RnB8az*JR|B1CX3mS$_%_uDA_uB3=b1rE}p$T2Zs2bR=gi`7|>p zjnztaopAx3+gw$DJ)V5;%FOWR%^WNXT{xomIv85Y(xtJsX&2%aNR1dL5Hpjztggir zGg<)yq0`-~-_c3$XY$ZTA^vXF z&TBhM3OH|)2*cZ%wq6YuWj)BZ@_&PM-O;%@`ILbowe_zv=Aa`Kf@kG*cE53>xtZRC zTN0c|u5qCmuLbg5IyY=0v+A9QV8PZE^LnstbRtxtR_S(a$usFuRPmwDUHg8JvG#$9 zIJ&H{QiR=Q2Vp8*3~fkfPgYs9_OQ%O>m>nJCYFU*E^c|BEfe!G4l4*;?SH@1Ikt>I z7w@ThZ0b2=zCzRA)(LSOb@x5q)j_N$$OODd=6JhLkLO!$E7>&`mvu3VJ4QSjbX2jo zaYE_c2~zAM^@F|A&eYTz4_wQB@`BiBCRxZRkRqSY^QF#zKI47YmntrB!pJ!r)v>xy zIN$E_@{5y;^`eR}*sX8BjDL`E!dnqbPv~a}v$Rp?LTJ1alki?Uvv|O#az@+-*T*0MIV+q=h; z{v5uD4r3hg)tG-;nopu^r6c-tBc-tFxLiOTBzLVW$L+vSpmeKgnbQ!a=mv}u&^k(;AIL;l5 zs^4hean^a%K9@b`q}&i(%>jlhvj^YLI@qtHWV1V*bAK)z;Y2>r*hbGcy%tyZSOjE8 zBg-u_DZw-g>sTJKX2aIycRzk6YzW$BSn8GS&OLi^KYINpD3;r)z-0h3>}8Y%u2-(HYE=f4Qqs&(uqonnk4n~qCu%{NFI-zpAsY+tE&N=XeH^RA_uR(vQ-X;Bkd}7uY}eK`*sBb<9*c4 zUUzb~27=PS_%^$c4>uX*!(_gs(=;7+Y>E^ad$2LqY zwc|D8BLTVeWyf~;qL_+K(h2)T3XU**6cF0et+|a?ZbtMz(n9gvh~S=U6Ctk)0O2WuAQ1?)58bEJ0`t z!Pn&r;*Lj{NuVt*>DsT;N%Wly3i|=^4Tsnh7lEVQ>#$at12Sctv+HnZ<`G?JV}EFv z5`V*Jw2HJyC0)fQa}cDy>lEOLFC2C(b?@uv(xk5FaL-c3$=m!A4@g^b$tP*S=0|-J zCCANu)uGddxS9P5pagr%fqAF+rtl6Ro$V)@=RjWFL#2&J)we>PDV>mKGcAq#Ib+ng52Y#N!!P?Y~Ndv3lO~~wwy7g z;Htwvq=JgL1g9)eV6`~8^I-VR>@ zNtAqr@oXA=2(g9>&GcYz+b({P?2yV5~F-@*}Vu{`e>eg(pZZcrT7DIAqn*~+MW4V(}yqEZ-0Js2Ig7SZ_PLR zKr0MB1cuMR@dY72yNR_ak$EP)75+(2mFPi%N3@tn=3uM&~GW zr*|#4s9esdZ9?{9iP~W`5#MFL5ON zhs?;R0_Bf2)7f;0kbluSkMkI@M4%6+v9}PvBpZ0gh3h8>ljPozG7A}FckH?~cz+1^tc6gYk9Md%^~DXb zvvxbb15Ccj2rMn_{u1QMmnr3~0UzB}jFa}(8+YL=%GYt3W=B+={DufuvVKbxerEY+ z=#@6O^Y3ZtF8ly$_f3{I{f9U4OOdLNP;LjS;#nw$R}8&j3KzCq6)%baiO2Ab6^-6j zeE5xv)CAisn14}i{hGMfrU{6VXXBPSpSx=yNfP9Y+zbSlNUpo$!@ooLYT7R`zi10~7@7P*tVaMbGJ?$h9Q}@pj6^6gc(-3f;n-kh9qezO4u#_#!&St@S~C?oR!Rgsk6Zj-Y;REyT{Q}4`gsMpIDCM zOlQUcK>J{nnj;?rE4^&QF{wcdcZUG?ZKg&JNcKL2Qe+Ytc8@u`cZ;G&oU`;&-sH23 zG*@h$kAF)$^%sR$-9{N4D~BXz#`0BMK~C6sl6b{k4h~bFQ7V$mLZ&c-+xOsh8@$TX z2*Vdynt%xr65*zMle8|=4w@+m#do6Jh0Ju#GZuqSG;#d?jery~$`=tl720U55WuK{ z7#OLj1#_b|_+bCZn+nUDCaP+99~^eb!e&wiv404R{4aeUl5$=pkDQ!n!C|hDc*=5K zwiTkul)2X$4?ky#VpreHpOsd6;gW+D1@ygMn(4hN@*(gsN(j~NGr1&u51}ke${N&1 zH>0?l1~E)#k}qky`Ub(u`_v?B~_!ya#ttS@##aozRhat8x6l_w#g zoR`K@k$XfIF9voKpfqWo)JU%$|EsrL6W48sowVTFgs~@Ft})5oho>svmq1s+%^3mp zw@ruz)GS6PE4+qvTeY4csmcWr?%@fT(0`sRb9!uobceeGyGkevBnGfSh3mr<2Il3D z^$e9;h*Q!S?oxFgJiM>JbqO&xI$u*rnuyuE9gD|n$ZQi+%6(c0*F|}UwovXzTLk0A z0$r)X)*Kyae&8N${ z?VaGy_+~`(-`K_)B)$X`8PZ3quYZST-osp{os}KpzgJI^Gh0bGY&~n6gN)NE;sp`~ zm2cpoXxrYqlv}x`SOodwkjA(6pLP(MT=zyarxgF;3g8SE# zBJdra<<86x!n7x|zdJeC(yK)JG#Q?qqW)zxUN;+FXrl8G)iP;HH71Amv40=4Xava$ z$@n0!xd-*HNJgj2~FqNKaAk+r5;nYAnsow#?$ci3hI+w5LdK<}MQY2x{z zD5s$w1wp!Sk~Zf15r6A6by+ZD@muW5n(M0iiyB;g{^$?YLoO0`5FNzlp z8Bl&99-V10p`!gY*Sai#A53;tefu0lXrXkM0n|a+fvc5hEDTopcIBVHKuflqdNtHw z`b#vWvY|V2=6_xR0#sD*+|pezB8WMyehc8xi9w^}_eqY>n(W>su@=3GwQPl5sMZ}` z(Rnk8s#`Jo$>s&8cv;YLPvKU6EMBsBfir(hXeSx^WSzLvbc6LBMuMao=p6vk5)&^f zJI27-FYjzuHS`p9S-MRC6WA)ISD;hvdhKk=i(g$9vVX8^M_5B%#S|?NX{j73`zLHD zVK63t8~6HXu?2+PT-as_J=e;D{De$~XgxrQ2{(DqTm8Hjnee6$UPyqzEU+@)vI9F= zUNX%cDDy;!&KPSEK15>MIYyu+1exi6Bk+J3JS5}T-iWC~)1oO^1HkNN5E>hhznNLR zPVcHM8Gl_tdFU-FF=kfq!^jazp%j4~s+cM8<+wA$nb>Kbg9--CMLRpwrJI~nGXrO+ zfX@BTh&iu7AipihQZr7`_xsg*HtNI?4g_*a@X=SPX>rj!*>FznM_FLpa*+%%7}IcU z`K>rCmZP;?zjF(wm2~#&Oo`3SN>)#W$^dp-MkScT-2F<#xU}0OupN0Izo*!UbkaP* z44=u~SUtPwg`G2&o z{m)8M9N6nSG0D&^x}+C3c`v|qF$aGbNty{dIvgeaz~19W8oxzPY6=bch#s$~_853; zz=)5-2b(w7lZ>o>j>-V&?jfa8%oj%wDBGgZmw(P;bOi8TMgj7uvF}_VIVN}9A!SK< zk0G*ST%8bJqc7&Em7q~r1s_OUEq}F|7y8i_1Z~p$Z*$U3Q9I#M(tx@#jx-6PrNAor z98Cz)6O5T*&-`Ko-R9yJr86BI`lhg;$J`L4y12)D(P7F}`cvZX)$Ap?BN8X-{gi!l zUPR2p=vZsaHj>in^XuUpiJu%Eyb}>HRsfVi1@C?Ny0DHv44Y>l|t$} zF!V&MLdQ55zV$Wou)WR0TD7>7=0|V8lD!4B-(KU0*TzO z#mNFg#oym9k%0i#Mxm{S@PErk^aEs_;I3qu>T8u~QBeBt>!+J6084J(s6lyOd(1n# zPxCv7RbvoSiA*N1_+rf;;I755J{q&mt$7JG)Sq=fnYK%eoLu?e@BsbY;1)b`NxuO2 zYvy&iB%wEB9--Q(M-{lI0NB#Z`Na;zlrEHarHL65d>!!c=3?p;E`Rw)ukGRyg<+rN zK%)E5q3~gK?IzY`tpey+EDg=4Ov9RWwEfQDYmDsai#>fRS-PyzHGJO`H=7AKxeP{@ z8QN(Q_1#-xw&Gtq0I>9Vh}3$vajemZpzz=P6WnLnL2~FB<`C;FJFcz|jL4S;7NY&^?>)t~m!gsWV zzt`g|Qlog^_t7|*I#}mJG&B{kc(aJQEsQ?c6LJw|BotYmsIzjB#oXTUSjypzS;)$$uvWf}S$17!t|*;L@2Y z_cD%*8Df#1_+y_%`q~GcRggVJ0GNd#v49m8@Amm#3C9;Z2r+em2Z|?sf)eq9=^_=& zq%+Z~w1Q*NPjO21QefL8p;_;RnizaLpb6;P z@O}|>1`!uCkbfu5&UBWPlF#KEWA{ zVa0}4$9>4&DzeOR8%0WOwosymd1vaiC$hgW^oQyKSAXiE#9t`I?M0tMS%=#~IdX{@ zs!qQC1@f2JZ4m>5-9;ljN`sBC!$`7f0Q)d&{aXxZ^PeJ-BU&9OK#1e_oiHL zk&jZF(Ra*?(lX2N z=t=wXT4v+pDh1<3?C)w?`qQF0#5i48$=nwq=#^s(JX6Sub`=LG~LInsoVtW8*0<}nFFT4;U< z_8N88p}yXkBxbd<08__+ci=jjx4b0pxBb1=#vTEW z^!hXA$I5QqsmC}iGg~63Q)J7bCa0cMf?Lm5u*-RiiZk5Q*n?cZty>A4d6U14BiTmz z2Ee16TAZq_#9f}uUCAFFNW)iQ+K7krx_^SdcC1W3ZHoZ|jhnsp<~fFUb0u`?h zORkp#!i#NRmsxobPsC?IWI(>NYqA|}Cd7>Xg$&`7!o-=K3oRgD_X_*Y*T(_&75Eg1;Ke0;~!O#+)SjpJE_c#0%1R{qW*V}z{zKGk zCa8ZQN6LlEA^Qim!^$I7qXN(#Gk=I6S~QlpS3tGK`p%pxQKdCq1=c|lLj^UcX-o)l zi<#m&6`Dt;4}nXIscG*?hgVAj!$M4Ub<};w zebCn9d=f%-WMj31hGBs4{3<$xiRJ^6005l0>%;wJ`FRcvWi1G%X4W}$Ie*#u=dco+ zwOZ?7C~AD$`t^Ya&TDOSh~pO;VVAvtNK9<~|oSMse^7jj7;~!QUkFGK)QA zD=b5~Iot>dlns7qdc8_zvSA6Mya>K<;?y1-biFHz6GZeIQ{Q*iy!mG>HplS3iPU?DzH z>&k1Lb2}>VbYk(B{C_j5h%FQQ3?)xD%ruuBv^0G8Mwfa;FaI}9m9)#oiC6SZ*YNwb zK^aT&KBsxFVqiZfAx>6{$QkvEWxR||@DquunWA>euKjPc65hPIW$RvHx=)0Kz^%2J z`9M9h(cWuHC6v)9*pb#53XB$HI?u^A`$uLw(x~5jqHdOpm4Cr5ErC{23@&_8KrDGG zjjcBhB*ZN&x9Z*BW|PgZP*5Q{>HT9h0izhi;%{CrtCa4Azaj4S-My}Eu62|68l%=^ zwAq>r8LWt-{C>$Gd8Smkpp6Q5QW_#Ca?IgW#Jufr>m)Jm6qc^D+xCz0O?C!vBIKkL zSHn+}IfsHtS$_bs#P()d_=tSsccy(DWh`C-o-Ah`TaGIGiNckx-OX*FP)}x-G1H56 z^Bb>xt}>Q2sQk&LA1qdOCSr`t+VoV5LXVVFw4uMq!J@3L?RQD4mj&?~4bFwc#NiyU z;k&XUFt!&4CT>GTLlHPdN7zMU3VM3^jZe4c{g+sqnSY_k6aJ#xC|EG7xEUk8d2M*$ zyF;GuYXyY;{`8Qr+{?gS;^GW6lN)z-DLl4$b{|;8<#|9)_@sFE-k1J>qk3|>3&V}yiGqXj)Wl&msp95O=cwiw^-iz{GHIC+ z?X03u&ha$TVqu_AX8FEnd&dzt4a4+*s*R#n92C3y~=zGJl@9-WgX<6!F7JXZes?)5$3P{aTO z`F|ecB+`|F?5k!miorsu4jqppZ-jv%=-a$xy?vhHbc8SR%Avt{_{Ck!_=Oy`$WS!Wl+LhDak;%gwVSsn$TWwIe0Ph_r5@Tp&d&!z23 ze-;85$~6xne8&ta$HbovL0MzxRehf#D}NECtg9XS&7V6IY7KH$4*2&Gvg@db&O}P7 z#7JNSQ=JbhVDH5^&rSfcN+>|31+dsR>!$Z@;%jey^m9cl*&gB;+6)}?1v38hb#h2Y zt7mkm_NTxVjAJ7eN)XepOXWn6$R2kycDkF|JY3 zobII_40I3C+6#^j>eiH?Q91r_3nO4@5Y+Q!r-rFc4gIk4LFK3ef=M7Tde`*P9jowt z9H_?U7kso&RTx&0gY+{|L?d7H;eY$gXBurbMZALsXc_caZleM_O`b--l1%v@^fsv19rJEDFL!YY1YkvnfV*P&M z)@Er*-Ys&%dM34t74vzt#SK0o(D4mplAUQ|=A)Yh+U)34nb^V@^H^>~l+#MDK#%v7E@Q7=dh`!FlCh+oz|^-l zbyDlt%dtN3m==5F(s{y=4j~ql^Fq7~x(lYtQrHMnPb@yvo5WpAoPS46_y862HNRor zsVM%U?0c+&y4n|0(_|O_!%fRb9hQc*iu+6vl<{+dQFUe${+D6U&8miPfp5|N^ zFpX>rD*EvGNSUzE*g-7G<5{c)alIj(?ZSnmKBC4?)X16@I5LB$lpR_ePvTk%IjA>R}(rF*|$bZW^wk z9EH6@)2Fb4>sK;6hkOO_7jbVnTf;>wmK(vbR|01Ut_|0aMZ>iLk7$9OjRI=miqq4W z<85IHYtV!$@E}G46}aopyL6U?5q*p5mN=6dWy7y7EVBxqQh&sS;R|O;Vh9-jFd}Gw zyP5JH_0paWV*(qX)oHGj4K0Y zj+x&AgVC}`6j`Cd9~n^*8b$lxRXVWQmQ5ai;>^DV3U*Y3Jh?SqvU`C&PgtoBso!3* z_y8$BshEZ6OMkC>XK5Y3`r+*0{#jA=rjwzk+n;J~ir@G1$r1bgGJ#dXcO)f7nC_5K znCx}}$OE~o^j2^WOGtQK#|jNP5-98-N7`EB$Y<3|z)~WHGULpAi+V`GEyr`=->G>I zjaQdL0_5`v#hDWgkeRv&P|0a*TfG02&0KehQ{s=(BFi_~ch0XpT9WgWs75)_1witS2rc9BA(F016| zDDk)^TXj366lg|-RVG#T;Fh=xLIUF)6V0P49N{Cc60o*iX6?x#-lCSr+#}wP+XAMu zR3fT{_XT@Vf3t~jEq%eP52AqoDT$G8kWLY#krIwH(y1UwN+}H@p|sQwzjMBGec$>1_{~2vbI|A@z_0FC6UAKXeQpSx;b?UuDZ>AE)oIswqs=j^o;p!#T9~PPOf7Dy zKi)QMm%8H_3||8gQ8T*J0-$xRG$55V zWp8*yx^{OX6~$)l!pZw8MSDRO%@i!EVF^OlBbHWTyRW%%tK3%P`~jbVJR z=*qD&Gr5ffG?NC{`afts%yKj04{VuQNP<-m9dz1OD~nj1@VHMDnOTc3z_-e-wyD8fAHII(_2^o@e816#cZ1QuQVv(#9(h&&s0O zj8OOQhMDWOMfGwO1SacjAEvzexc%z2}V%$!z z@K`^0>SwV5u}~ijQpFe`xg9aKd>cn= zPFfIXj|0zkG}=n3KNKBm?`q$lYl!DAVAN3s%-Aa#KYE~^>uS%#dg?cESM(I4(|=@Q z64z4R)-Rpk50sU^e7BF?*Z?R(e%1I|{j3QJmP>VONaNEHMzIfmCf}m9K+85FT_#$O z*&RtrL^`!&e2fsP5R@cPk&D75W%QRPz8KQoxvY7H6ly$g7Uqu<~ zG7ADxO2=4lPbv9qGA1?mS?RBz?O*8Q4pLPS7l#z!k*`wUdiLS`ltJyn9V^%1R?lHG zTIINMK7m2cZig^Rwg9)hWJ1GH3^MmG#dyW#3E5T}WFN`h=~v}dH=K*q!o}=rW)Wj^gsu!Txk%H)@1^0xB^?P(R%Nc-*+L>tksn8=;x2B0J z;*Q1c4<9F@Yi8Y+da4%ZH%I4$2#AJv#=F$gY$)#-frh zF>r6Qb=B&{Ll|I2q!yIqDLuuUMQDuw*(+3_XlJ|~-#yImw1VfkR`b#;}_bj*r{PI$$Ly!-2DbROs3B#!a zzF{{!j-+zhpT`(W|7h!YLrqVm6LWx9X%7i5hE9wYmF@m4pOStj$^1>AqK}Dm#TSE4 z$4TQc3*rYsf9%k8kJ8hGQk=8SjK_LS3zIBH5?Eb>GxKVo4p}OXf=%YWYhowkuh^*Z z4on=CMHX@Y9|5jh6F26 zV9Nd@w=7rQELC+{-x&`_`uoZkg28;o=e^C1UyvfeoKuRj*R;m)Cm)IXwr65ZrZ*f8 zYfViD(`p>=OLkuo332Nf|v_foZJUo1X1G(Ag(XbuOh7o> zDQ=0^`y&sPj@hzAD#zRQsC=YHBk^t|(dm;JpbegSR9UGHqqw)4TUk80YCqhw@)XO> z6-(Z6H3sL$NRmM;rx-T@VR2)8I;V14=BKP{YW(I7YoF?xbTpANy>-V{(;CCJhlA&Z z?UYA0Y+3%eL!B3v!oeb!zN1OJ!b^5xC#m(a?M=?uktB!NMHlA5ezg-#q7oGGh%-D=}pn4=6-^AOMldT=E zZ%>}y#|U<~+$Fx~!JM>yX+EHJD3p4y*ZG+%nt6dQ({mwN%G5fja?Y-sqGE@z>w#bB zyi{wMUQ(l&&3Wvki#S63z+1Mq(W{JvGB#fC2B7-#|Ny1vmy^ zGUqz}OkYCm1>*`@sH7=n*cZ;S$cw=J-{m0{5RICX*Wn$)G%BxV*$E3OgM`Onv=GKC$o)6xevwR|mQywr|(a!5>mTXj*i-0^5 z?UPe>UX${LMMM1nU;v=>UdeQP0&y&e}mWS`@e47#st3A2`WU{|sZuL+x zm_gf6iH*d8%M&?A{b!{Vwh7qVuNh)QcZNKz{KIJCAB3DBst$3U!{pLGq;0KRGOv0! zOIlCSnT#7K*Qr0eH6@bZ(purVv{n1kP+EL!H=F^!I&28YF><;FybzV}TpPof+LIHB0_S<|(WW#1;-)OZ{vL;H|DL?Xg$;@2c0_27U|CA^rs zEE7^W`F?O8MKm?f)#Z|wN0%+g%dE^!fJcr$yd4ySvMBNJmC)TbDHsqjgJ%VjYDAKJ zInei}!Qx#+{P+ zk~Ycb@F#Dk!>F)DxgCSgW>fk$^?p?%uHFkl@6jTcppEm8SY$nH+(KzILQZ-wbHp)y z-ePg6j)InGl7;GL8Rb*LiRl5=c{1IVz1|%%QlGEcgX&GkoUf zz$5A}dU_A?b!!*J$Lr-@q#ICNLD6SN4lf_}L9R!u-4Dz*p6icgQVhu}Hd>}X(h^rgeQU8o!=Dc?A3IC$CNzgW? z=we1Ak|v+B1!NU2xD6kpt{zZ1EevR#BImX)wH0W4qRtSICP6a(7&tM+M~dRqd$g+0 zoYIS(6$ih+Ox_ejBJY%-=*s3v>1!_D4_^>%`@R9DG>_;|VXGBa@i?7Wb7{BMl*Cqy z@jEy)-7b2GKfKn%{JFW;t^vns5vL+du5 zJ`!J3r)@dlF;ig`%w|>-7+u)!5ATSgWF)B_o3yOpCOqp>JMpnTz|FzS)wc`6gT{GG zMvfgxzx8h{t0JfULAJF|OGmMG<-9@uQkb};V)iU5Bj61<)mx41UbvEElNDFkmrKUB zqvy^$LI7tfo>19Y(ZC1qu7OY}S*8m6Ch_y;38-}mPG>=Wq#+O@KZ?8wd#$fK+bG|* zHeY~`n{Ib{vWztEq@JeOlgl#ha3#>8WH|~7dr-d9fysy_q30Uw8fH*5y0D3t=8adu z-mWB0Cy+!YS3?;adTGyx!Ne0iRYORRAaz+g<_oiXvw z1vR>k6K82K;G^k4W!Og1j=dbOoj=wp)a5RVpQDm8iA|DbDaEL;Or&qZmZqP50q$tY z2a>N#Pn17O_2WH$Itx8{Jrxw>GyQFd&VY_bnsUB%8g-#W^X|b#tG-z0bQs%ox(#+x zq<)ciS-)Mb6l%aDW|$HFHB;(&Oa!SKx!%n$i_4e8O}#y>@3~TW`y9_bl9`TbA9sX> zss!CAZ6~g3Pk}AQf3W_?GX|jU3W6BSggc*;hY1)?ilEP1CTz4LnNsQbD)wfSR*uH) zw%gcR&n92z1p}R2N3T|_E^RES3D6HRe`J8Ux`=D?R<>S2jo}5rBS>g}7tuM0y+zZU z6#vkbH8IYKRVV@{8=Fr{0=&L^_W|#VkOeXXtaMFE#?{M;nrGSF2Z$q-FqCf6#aZ0o zcS7?Vk=)|P5Wfb(x1Tx)vPfg^^X@`4ds&frHa`EG%NkoA9gT#LOceQ#ak;|CHfy1NL z&+YI+Z0xt7GN#eaSWgNDz2LvLQV6uRzmvmU0#B_n0eX6SeTcXO{%4(NL&0W3U8fB3+%uij%} zsNlt;0`8yBSeok=x5tkgw<*s9t?7S35A47nBm3`KXz-*suRKns#BhIUZ%-4O;%3$q@3r1%@-wzC9S;;WC^|{}i{a3AhS$Vw&7j}!YtNWU}1FUxn)FcOH~ zDNraomU&y(W_uf>=SE%UE}>VDhl;z;-7P}Jw;Ik9d~V}6NYueO8>5yg-aRABZ>jij zW~~|OjGc%dPZIdd%-Ub1Y~on%4UTl6*8}0#WzKBcgD1MN*k4W;Eq3nNo@AJMX};_x z1CT_Crl+R%5*~v|?!DTt3x4@$UXmP)PL~yb7nWI5C(SZ4uh>mkxDH#M*1FgJuId?s z;jFozip=t+>m1I8^xoK~`>dWm40F*5&EK31v{cVc#gNFi-!Vw=kCWGiq&;Th&)$F8 z@zZ`A<;V5#O$?|`?g0m{m(HD4B1Vr5Y8%LtI{g&-tF`s%*RC_E%a)&q7#Bx%!H~Bu zQH)f}rjf~$Ujc<+NoEaE>?`6K2XfK@-*qN)dY!-@CMQ_s+TAwg(U^Gcr+HM)B+A>G zH(8`g*|t;gGf`Bkif%~Z^_QomPjIY<>`fbhh?cA2;UKwl#xJ4S)955v^ntLs>oPz^ zaO|Nk30{@^P&1bCJ({*{vQJSnL}Z+Zu5~E3k5+Q+iz`k}?-o1qfU#!v`An-K5li%YOzGkJHRR1vZ*1F){Q4=~)w!gkq+hq4u1)7S{D+hFO_^VD zZL457tk=J=Vb#-irEdZKG?7`Gk7p5RBfXD-bNA|>czr3ts3Tle-t?r;4X9+iGF$tGmrvT_&Lnu66u}t^V~gTs z*AaxQK&`0fQxY3OVz)^Kr&?fIcbibTkOoS8**?V}TY(G2Q@tIgCZ-T1SNvYpy&fla z*r_PJCtGg$bDCpc4(ktlN}fpBd&A6Bx*KpBhs(T$m$Ov2MCr{p`R@frq|?y}`&&9g zC0Eyzkr8oDTKPM!4xnng-p5(YQo-3N{1s@1=a;-XNm_GXBVg3NT_Qk1(}o*e+tr&Z zsMB@yTAK^>-8g}{6y}yr(quX9of{OVPga0yFe^S>M~Xn4^L`wr*a#;5GxX91{-3O% z_;*K&oT(>uJAs@}c+}Z5_TuS)fL*|)K$t8CC#hte7;S(iZ1}F zw|9RytdBd6a=VhR@zv}8qR%WmE3;805*2X0`fO()4xj&BQDKT9llv6(zL9AQ*5I$n z#slW!!xg`}mw^1*tK>c;_DR%1$*Q>uXo4Y!N{aEV|B3jl6gM3(tIBNM6!sWp;jmyp z2Ju*=(KUQnZ1$MKpr)VEfzb6LwwtYV(g^omOYG1+-x0G6LkqK@T4S1wqT1I#JdCmB_>t%``L~$4by&9cw!kDll-V`K0{t;gR zvw}vR2<4FXbUn?VQ39da<@9l`qTN58nXkwh)vQE_7f*OlZG)0DrVpomuPnIzIiwu- zfRtNkz<7+)3Hhz`CLrGJ5uAD&m{ zbDH03>W{IeUl5H9>0@qH_`nV?Et+FjDIvwSx18HqvicQS*lD{GJ=Nb6k(9p5%*!e& zaW;>h*C&uKcj(IA&7_)BlI{G{UZxoV9d8W@a_E`PYE|l8pw(ja)Y=PQvkvZ}*@Ak( zel70XdzFg<`;@rN)+hXUs1=u>vEF;J&Old_C?glmq|K;ooQI|9x)u&E6x$MC9Q^jV z5!le3JdXhdiy3Osl30AU>PD5qY&63jbZdYk9l0=or@CO%H9UkUL^~AFI@x71P_w-F znwGBT(si+In-DMb2Qn=u`D;^J6#{YPIwDfCqLQM*m{H8#(o6t;eNG{zbY22uqk_?t z_9oQ&M{1hjHj{H1Dpm&hvdwDYN*{FK@G9R-_i3nET8)7lnyxF0SrMiZbg@=L;h9{1 z=)C_jzr|M9H_%j1J$|1JD1+6&>R@fK4p<-j5c~*i1-1s;fNkt-om^b3z_wsJu$_~G zBTC4{9(-q|Yvtt#wzqHs+q-)se?tynN3aw43D^bf3U&j#dAnNMA-$X&+`#T&cQ?D= z5gv9(CwE&g66^)`vh%TX`;B=y`TgFZz$nMmmQfZeJEZ&FIWGZN#oZ01;^blnf{LVy zQ!{3Mwm=uA6Zwz4AUNW$j3BsJrk&-TH!ny8{_li;7x?#-K?o7BJP08QRs<{E{lQiN ziNb!<1&NA*wLxMKuntHJ_M10I3;})w5*Pi8{T*u%6axE`-QAJs-wfSBP$>LgWKdvl zun*W5EaV6F2SJ5le|6{X5CKLxx!B%i5ElR4E3-Ry;lEvoMVlh5(CIKSpzzEBTXbFo z6#6g!VX(5Bjk~Rro5NkPKY@qt25wGw*j*aYzbuOXP9oNHYm0t@@u!HH7Y^v0I#9%) z!&ID*UMNLJD4h#TKYspW2~WQDQ=@hC|MLxd3!*q;|O z`~1-@MTDUQkiWM(kwjo3AbZfiF;S7bCj8z&ZhvD4n0ThqQ*?F!4u?SQI`Uta;jlYZ z{)xe%;{U`TP#Elv%72Z8K!t_xMEGwEA|@>U4-760{jCk~-+@s0Zw3E>iHZJCVc|Ra z|A>Q%3k&}<4k|7p^3Msvp`!mmPW8_w!G+9xxGH@ z`n_ztdR?ARHDe05g2!LZi*x+$pZ>HxJ*K>#tO>n+ILy)W^S*s3o~wMhFXnlLoUgRE zdtAE-`#zqID&(v^ZB*L5Kq|@g{T?5}+I`%wU!R7B>tB7mFT0P%$%Wb;At~c_zANE? zcU~@3H*UhOPnea$?Y`G*!q7^?)L*x@!hVzMzkbhIdv1^0#r>uqfcElya-?9V*ZOjI zzv3p`azE@Q?7c|$uqFi!^7Xlo@7+@sHd=eg`Vx;2s+f85i}DCSc8>&3yP-!bLZ z8O{Cu+&J+}d)vKlak}qgN_(G1tJn3(Z(;Ad`^(~X@7w34ERz?(EaZcir^~R|96yi8 z-6_xsW_!#1)h>(hQ=N>Cub=Q!hpV05^V5A-)j7aS^Z6v_e0S;hekQr_)79J*xq_I* z=-GX!+uEhwS=;M1`pc{A%*$FXz4=Q~9ks;^WY|jN#*MK-f35vK)=x6>`E^{yZ>}`a zIX2C}Z|)EO{>vi^w8fAE**l(cAt{aF$7Zz;(}XXOdngSr-lt1z;A45t_SZMKuTyTo zgm&YQ_{AgrypIp$^3E%ETDquBelKob)Xy2osY)p1LQ7kAP#PcGyV6gzxP1 z{cc~-_hW^h@Aum4;eGbKZtZuTk21*pe6P2fZx?vA^`0vg$lLjCx+?t$Ga%i)Hm}yv)AMc4s<*F2_Va5$ z`D@!~(Kt)a^W=g_&U3NPP2Drfk+4aQj+B1Lp||sDi!(qi@#6=IX(h2cdUyQWS-N7K zX#TpG_oG1~pR^;Kre;gr$-MzYdkGWA4423EQzww|+IB(Pi_HZdrM6?Gx^v1LmPRwX z75T~NqM6>!8jr?!Pv85|rZ~&1jStEN=##!Xph19u*P530S#2E!>8LXMYDksxRJ&cv z>X@GooLe2`kvyb*bOW=Y#r@{!My9k^T|ZXe)tz}YO$q1K2z^m|VHI9o*;%dLjlyU` z>D!61D_M)G7yO#%0)H$Uy8P`0D!}qRIkB?9mvVn|PW{F>HkQ6B_@~oa;l;ggjsx{> zzaE|iB(5rFd$7>p@RwgW?bghWQzjaR@v$jrG9K*d+VrLOjI}juSF5<^aE8={9+ZX+ zkiIcq8_YL1tB?+_T9=a3tIBm5#IMp3nAG8r?M7XFgnU z&w6HjX`bqdWnQ$#7;2`Z)7CFf{@HUVjaKS2*xQ$``gj;E)md_rl%thz9Sd*5_~ZQT znx|f;eoQr?@s)4!JJBvyrl$EkFNWRQ&h=jG_5q6oF?Nj`%k=M^_@nJVqB5;p@4E+Q z?^goUojM*FyG@2lXnC8k#R`{bPA5}s5`5`r{HrbXtws8^(EEMObQGO)`>n^Ce4;yX zFj}m0bVF(qPhtrjY}!L_!zVU8BS_l4Yme$#(lnIPWL7{wJg%7^wJ=RF>T)2k^(Uz^ z>db7#1df386fF*a-4xIokFL;{spM@;Gh@!`QLz@-)!%(2y6B2^<6H&^I5TaY-WZG} zZ(ltz{0Wivj!2}x853K``y0TLnBSsYZAvjR}Ixfe>Qcswqoq7*qyYksx8ujy{5XK zYzpxdK)!413@ZgRb#y%cs`E>=>=+CB}z~{Gs^9R>yP_4XH)2E-6xOs{RJl$ z4bOSgp=c~OZK|?--hm?3F_&*rNaZ%X$!xJL^nNxZBF`flUD(HaZE-IX34~T;$%CmU zq=eMWt0#9;u{H=A>{d_wQ$EHmH(kLwt`0!_DmhywohNoMo2Y z)&f3%FeGog*ZIP)T*JgTc7HBCB2meeGc9^WG2QYkkSWs|DJY#_bJxVVJfiuKh)vjA zE4A@1xYRd%n?inJH=FOhW*}N<-Gjd1d|xMEb`ji9UQokzBLXc<$6GIq-m#2L$qGMT zc)twGcD2$`)9(5;eUb`c_*(niV`pDB&n(0Ko3}5bGWIub*X;FPJiw`pkXxg*^Sx0q zmT^Ppd!GQ^nMXoN;KxkN!#-k?JY*%vZ{GSTS)Ltpre=Y)jRE7(;}y~vRuTi2MS$d~ z4)@CDSG%bNev(OYjVrUE$w>r`a|}sDM53EHrWm>owMwTLR*@%7{R)6+LFcb>H(pPm z;h$tWNzC!6ei=7j>LU+`N7yIX+VqRePqHJaIkSph%GPlNS^P}{@Hr9T7DMmTg?>6q z?tMnSEW3*ta{xQoq#lys8~)mMm)z?>JD=?5=R-spquwj#L+tzIG9PK{P*xObFSFNi z$X4~Sh{Qt>26T@hIaalAcaZrb{hoVI1IzVPn-9@UMgBB-Y%qpK(ApMLqx>w$&-pc&zS+Hed0yiMu`TmIf1M zf!zVgeC%@Dnf>;PWVlmSHv@Aj*Kb}U`3z{>?suVup(SGhuH398XZs`yK}&u7eEr0> zUwuoRFmmkT76hYLY;E!5&Ti{*bsblMRoY!2j;%v8+^am6gi-Ue(V{VO48E1QyA#3p zS;we)5XDHFT{3PNHk_4bkmq#{&3va(FZd16iFUuk$vVBHb3d`{zz1QF<6~l-?d9X1 zP4U|P_1HRrY*;$qEs?J3qE8CNwIY}LK&s|JiYIxmjt=s5u@LWb-BO>>I$$F$mB2-I z?@&eUhu8pt#Y&xMsVR|s6D{hR$C;kkr?;nkOabzn5;Q_jsaq*~m-=cltl62_#0k#D zd+ToY$77?$G2M+GBM!Vg*ifUfvzniWhu3w_tPg5n0?5Wj#bUyo3jP}CF)ROh{@3we ziC6%}e;ogo*k$YASeE6*_>Zx?KA)9A*nhe#u*;j7(N7ZQ#IXT2h)J5AoPvzqY|Ws? zW$Ko_EtwO^*k~}+u>Bj%UyL++=$-#X#qnR%e_&nEIR6^E2+*oW{)_q#0~rec5A`p` zKd`^3|1kc7{X_kS@fYkL>R*gBhyR1>F>r2g%h?ZY*pTWih z8;m__Qa#z?M{ktmu~F*9%5o-I6z5lw_UmnNFjjT?gP`;#6D^}V{cg;yYZzkKO9Y~~ zU91BV8g0D&m)Kp6Z5jhs_7Si*Qk6YBwHzWc7KXfQP`bZ$#P}$F~uyvZ%yN*I`)(?)yV_QtYs&I`AKR)am}k6 z-;-1<>6~I#j9Z}O$3wGA;|NW2B-8+&L(|MS#_I|^hmy-E1f{YUnr6mTD7n4RG}rQO zL5(mHOyD_1f4AoJU*m6yf6xCq{wo2c;XjUlOWZ*@$D@JX`DfTcIp2&jcEclws$dh! zhh`>}{7t9|H2($@2_;|C8>-EJ!8rVl3aYgKV94`A!~0)UP^J9`^&c2iX}y09cc{|v zfd57PhXExY?;q-4jDKK%QU7851^b8k7vmq;zZCq%_?LpeEfd;y=Z#F?g0}3h@ju6) zks(c48lb}+Z&+=re8pPlp3Q3ow6+H!4z!`9u-g6TfL@a)>@g#<3U#|>0TFbyF(aYO z-pO5iyh{iQ;>w;fp04j^_g@8lhb+1PQ zR_0DRUY+;*eIJDl-TlS~_`V*G_&1_h(rtHZwopj9 z;VC@*BW9z4Khll&^gl`ezw_X@oYl)u;`aaG`+wfbG0p$U9Fw{=!Kv4~PoKH| z5V#g2dh9?}Z~8{Dr`Hod{UR*8i$L@sUef1zn7y<^48L`%4+)yILmzez06?chh#zaV z5T8yk!p5#h%qLfI@2sk6-TfaG%My)9KM4v&rzu%8J{Btw>8u^vtgV*JXr#vw>l3EM z7~yXc%ro~yK0D#0{2h-fJki2q-x4?b+Iq=`csjqVHps!F3(3Kc8uYqdb7OC3xx}EB zDZ2~rrRSwAa`d2=7wt-sne#XNn7-PJh-Pd&7PM3d?Al~unw%)@v^20HpAQ=L zfL^Hmkj{T+tIPw6uP}H)ovV>aHNY05hzcvev2*up1H%)0M2&~F(*7dFC@Ef ze4|fR*&r-mg?(DoGM2B#mptkdY!6lv0eQcxrux}HVd^T$SG#W@MBYDwx1Mf|HgZnU zfjgYNz+91O_*EIPk>M!8mC@OVmO@Qx)TmWtPXit(&GMw)EhEcaf*D4G>_m&uDdfsI zPrXWAFaeV&90E?@3rxGzLXrKxouABiPTPY6KW-1_Gm(Yh*Fk8fu4HVm2r>^>gZV-+ z7cz~JNNgld2j4`fPn=J=cc(>c#PZYL9@U`7Ok(UU!!~jYD`LtaoUFI?P@g&P4Q@_3 z7HT49y|tbXRUJ_N!AkUkqGx9=m`E(sTkfKw>2l&^8_Va6o@O>K@UX^=3!9`>;_d}S z&tO2ia`uA`g}aJ`8wMx2N}jUOxqpKxAj6kx_XCc&qR(O8)_OzP!w=7n3(eNJ&4D(` z0jWEgf@@8F0fzGcp&(RX+NQPL%5_>lbw@RcxB#X~^JZXBCP*;Ol{Gff=bOR2j@*<^ zCoZv^OGGUfHJsnawrZg(!Xn2%Fxs^F<|$ZHzR@9;5c=RkkVT0qJfIAfw@oQRtQxH4j#EJccUvs6o$u}vd^bzpWJup^6qVC5|Z${Rg}Wqf%KH0edtu1)mijv4-{PJ?@wZ z@}w;i5U6Slg(i=%#jyXZwx({0DeqZrhz9g?h;=A(7<7=MY(IH)kRuZsp)da$QQntS zN}U}n3^*s_Y?Bq}g~*sY=UE8+)OJzsxM@W5!f2{5*B{zVAqgyfveF<@9c*z%ZcKKuJrGq3ZiGk2w_ULeT*b&G`$EBHZ<*^F!>ILX-_u8IR8B$O$1uQyU+ zA0;Z;gj37neqWxbm#suqP&WF9VKl==8fRHrSfEY_=E)D7uo6R7>f&hMd8{HEJrp79 zPzGZ7oCT~3I8>R90H)5e2$PoItAse%pLw#v;p`7*MMAj-kyqkxkfRo~!t_5*@5VnxR)Qyn8D}}-orGxwO3e9w$Z3Y=eN7w zUyI2+S2x06a5n_($9+^Uvwt-itMH-pJzb z!yvgAHIi{$Y5MTEI=bgIrJ#-%Kh>l#)Mk1JBChAAA1=d;rmeHHGzUY*E*vKr z=-f4R(}C=`s|%LgR4fDM4?y-6kGzc8%N0YvuutWML1!jY7Dkve2rQI2j}=E1BxpJP zGB*P80L+zP|LD5lZp@mE3oczZ5#$~cb*0O`0X!ODMRyshgLaX^s7{$FJsJqe3?^qu zsKxruM$%X`^UGkM>PO%)90C%u*3KK%HJt3=#WPu0X?{6zy6EH#y#7yu-%C^0f zZ~~&d00UkCwOp163AYo-2n9Etxrjx1_pEhVl9>dH?o{IRcjuy;<;)L9y? z;0UHkyyny_4T{do8pYgmkQN{fHT|IWWTF&Ct_!$`w|r18Ty9hCS{n;axY^YO+$WDV zl9^aD3^iznxb_E&J~8tEvGpt_pxy8|4;i$mD!#`4bq;_;MTCKs3;-5fMKBXzFue+ z9ss2OVW~nMDM#%o`EmiCHG7a-q_VljGHb30IVmb8w>sTJ!6LemhR+XU zK*W!7ai^H^@UB8sC%!brRbB+subi0hEAm>q%NlOQi&Oq5UVtKvs*+BM%3Kx z7yQkXYa_1@eTy6iP}VTifGbs@md!S7OODcSFvVFU%{eZL&-@sIlkJzm*xW7jZky7( zs6BUAml<>H4GJFDCo9jR(-_0c@nr&j_x;Qh*5au)S{HA?b!QTuON3n7nI^*15#WhV z`B8DJwxs;uzNRy6V;01Xhy}src^LL#ar(vReO-x7IckRKTt>E>&DU`B)T39vz~(Ep ze_NVSavj7777Xb+57~(6##%bZ6xk;so=*bYh}p>eO!*2i>co+neO>yjVbjY$k$IEW6z({rCdI^~_V$eGTgtwN8ct(gsBo zZd_t-&;yt0mixy{u>^B(v)^ftPMq2PDj=bu>Iq#8P;A#>c#NF|B@vn!fs>5w0ySp0 zT%Kv$D+F{N#?c@+fUVnW$!i}lee4{vJ8Q9CxxH^ZZ&E6*3`vVHl|yCZC^z~YLND9X z>hk+0Fwe==|2I6+BM1!YwmM=W@bAAMZDT;&y5kOTDT5)$p6~UwHRMTh6>9%Y{0Lwa z)r&EsL%NFGSx8I>#_u`#A=^PH5uc#$+~QU(As%sqW`}ZrRS2DMDA=N666x2&{~hDe zn2fOWz0ion9OQjHKKs=$d6#@ow4q>)bQCIDa?wWO#2*W~ePR4hCozv_wE3K>3X9qO z{!ug;_DpMe%;KJt@Nn?g0lP+Mi(wXLU?PI02p?_3cif*J)9)d}l|;WKUs%mezt-9= zs)H4(tG+5C+Lfao(bff;^WRDQF0usO&<;Y#$gJ4uc-8b4Q7UvdAn=T0?-6yJm(L|| zwec9u7aV8?C-BEe$OoD_`}8b1x>|neSKHg`aC5h)gw6(W^t-u~pDbBu`@(d1kFM6h zxI$)$RItuG5bky5%WT5^G3U%E?J0?XgUH*wv+p|fwuSJ#xNDsjrgC(XA8}`mo zQrcz>wqK-b{4-fq$vW8fF|06v`5S2vDUP+)=m-PJkidDaVofY3hk`D38^R45CMiy% z$)#G8Oq>koLz+oR;^p8m{@xRzt?+VS?!eB73i<=XJ;JCdXoFKIsJX@t-Z>9eKFjYV zy_}nay6D4Pgde;3f~8|!u=gSOa@qNWnHLP>tnN4l&-ju+1t<&E@EG-=Qs*P8XPH+c zVsb290w=(%9Xb7yj@V}X3^3>Yi9|)`9?A0Ka)kpaoBPDO?Q#z*QYJ7Hh=$}eK`Bx3 zOnQ83PL9%H z`1hS>?}gq?RVjwz$#`y7^(N%<%mRO!vZ8IA<$7g3Khv=YpBB>{G=8VplkdNt(F*8( zM}*Tj1|ZvPux*zPu;rCou)vR#EAtb5`svYo0}c9fxpQAMOMLp4CP zn1Nj)W9S~EY+V{20tBIQlR3=3Hi-v)!c=Il5Xz}DaGY(` zVeGyJh1Rlrp+}%E{t?ltF2QY@0w90RP%6o?C>szpw0nmm1;oqGynRenbEh(Lg%hs5y#Ft!Ojw(T0nI z!^{Nw*uQw|oAiknFEPT}7DCyl2YTH3nkwspa0m9=R&C3u5H1^9pQa^pJ6h@PX53g$ z+#MxcP`BpqHKY>?QYV?(F>Q-BED|Z_9Bai3)*EqeZz9lLUzfS38>d4m2U@B73sXwT zWbY;k6q@7GwaP9={XaV$!yKtu1<_PyDAP=kSfAFr$%Pc}gqf}vLNJsMQO>lo8l4?= zq~0E3J$#jUZxhL>DbH1`iCX>_6p?whhfmrMSO2q)cuSAlrinhm*Pyk9XJI^lMi+2 zJ-GW!b9utQv!d;mHR5a|aCabXep0lY#KQM6%XcMSy3gC@n!@ZWmtBb=f|7blo*>$k zy*pt&?ruXD6S;tU@dm5+VWW?Ffp_#&>Hf&iz~mj{Z`Vw+#OYd#F94z~y>9U)gFC@5 z-E2Gcixe>Oy>SJB#tvW^B4mZ$u=0sf)n&N7iDr8|{4Bv~+)GhNb(?sQWOBL$`|D63 zd6uHmZ~KvanvPS;U4}+hH0&?Imw}%Xf^s@i7En&pk@awi=i}x%{)k%k&q>@*^g&q9|aP{*c!`mkc?oC)e1Jt*~~yp zF86K9x+x3*dX&V4TE;~tYrGLso+1d)zL^b|pp3Go z1tpnxJ6;HJU}uUN6L=+<=aHmGD~2fMg&6tVSWuZb%f4c7({#tI7a)K(syauL*PdY% zmxZM&v!(VEwF#-AVcHg;k9@wy{{y`d@MgG>uO$rL=a-~l8_ ze06gIktJ(=3JGa};+a2Gp$lz6U#9lpouDKWB$}MXBg}>6<^4DdbVio1 zl6PNZd)D(K&F=pn0)3$qiiVp<`a(So`}WKGHVaEO(9&$FiJ@mj=|u; zH$vCTE2g&32K6Q5t9HOTad^PHA^fT548Sj8WGQSk!#8?MlbkGm8G*2q`V=lFR_oI? z-(e7DnS^ttrd*Da-EfXyJZ~@;;T>Ba$K3fakY~wxr!w*p{5hz#NBm40#Voi4z~CsW z|K3L{zMHSi_d;>T3&BW=cZ+?!o@TJGvwx^>fKUlRYxrya!}Ph;md77o!7!FB4qHyL zb3)}%eNkh4qV@(H1s_Pha?TTUt@C~Sj_G5>UDPa&8mwF4q;n4ttnU#RKixE6IF5Bx zQu$bf+VAv!E#aa*Mc>8pXEiC#Ppd}d->%I`efk7)ae)aaYK%V`^<@p{E!yg~F2*wuD%tec?-WQGUk>7PUz;>oMKsGHNid*m6cV)b5_B(|;pQ|y?s{p*>PFDG zGx8D{WzW&Ak&o|o`@#JL6O$b@n1D-M0gFEpfetj2Q;bKAua{8W7Ol9#RNr2YWP2kT zADJ3h=ME2K2V*&Vxof5(OH_v$k}t}0&v(-zn;w5IOd4s(-*FvJ_RtYZ!&jm{9`9@M&!qV$wHUJO1hYx^n`u5xk(KH3Uw+{ zFo8=+$~M8Q(R7I))yH1WtgGQi3N3*xmX!JiIdD|7%INqgC zv`t?2krFiAe_WTec@WU_%`!ONTmBm5C}CmXv0J<#wLqjfZkm2oXT3@_9x_HBr{j*@ z7+S)js1wRz1ByEjKTr>LrfqVF$i?i9E_04=AAc@*udh)n8i)F=qOLrU0f6Aar>?$D z0KY;Xh~)TQt!a+b#xR6+Yv$0HBS^4S)!asEFqSV*^=VFp3f>eXFQW(}fC_|fjQNri zd%KAht*#V;Pvk_Gn}U`zDnpm+zL-nv*a?aIR51|Jqbr(dJl38$(=p{{Qdo}Lh-6Gj z%oVwDoHQbtpFk4(HJYd-pigp02tNctp;8xz`6ulN4^CnN3`6o>Qp9qeLD4n_yc30+ z607=M-dAR5I*JUuWe_0y7~zd!$CK#>c6#hsg@49Q*Kdg%;FrRJxNEQNczm9?iUxQk zL{P^R?L~r)ZV)v6nHU_w32ZPi7E;9$5pbA^MXf&uF*$dqC-l2YHL00|;ctYkifHqy z%OOcYp;JUVHlzN2(C$lN9ol`-*#GUm3Q$RzjPo)7yU^W)JN^BgR(@S;3J*^=rf3VU z;u%F@x-hq|UMeT5$Mf*0jj)UD(^m@;bnEE@E(@!a`#bJf*Ck{UzrhL#EBX=wErVKJ zIh6_EgELnx%GOSc9wry7O|%{+E~vQ%ZqeDOTWYr=cYZ>uIG$+`P!WtX6hT6Q(B}MS z`wp)M9=Yne82gbSC9)=XbVpfs&qH@#87`i|gvVK*xFKQ4ZuNNI? zI-{3q)Bxbv)y7AcVRJ!xTMe)`a4*&z^)B?jGVjP@I2F|Cce9zz9fyN zOI~z1(m~12QZJREfX`XcC=f=;`08ca7zYz{RzUXE&Yk`@$ydft{jtePBn&!niI9b% zSom5VfhMc>L&r+{NVe_`6auos&}?d*DQKgSH@kBhD_YGEv=qXw@xGj$l}vB8O@+c zp$Z!rt-TIkGM-JOWI?r{0An9h6M-E>2+wv1i>I&u{Y}C9rD{A9P}mHNnrMfF+{t9p zk3a+?kShJ4s?Z541D(LMek}wZFt5P)=I45~E~7>-HQ=s;S#RMkuiQ~OdqJ1Qye)~Q zvoEdqPo36RK$c{6H`}*`o?jaizUB2txTjGo7lWub)9}gTCT2dPIoL?HYzCmpsO}Rg^1Le&}yf8nNO@>Edwn;fuX{B$baQd=f>W{dHWb zjJ-1<9hezB4#sVYPrJyORr3ZbYY!~0wv4;$`DmW%WJQ_UE-wS^LBwKKxdkT>R|}Ge zk9!1%12)g1%;=nq0zz>~+XCZ=fypsaE0xg6Do&cVRz;5>F@;<~QR zJweyW>D2vo`lG=*<);EC<5}-g_v%XEB`_`{0^XsF31oSXGB1E{E6fIqv_g42B`UfU zofH#|&DHrMvq$1O-WYjXDT(cAXL{?QXYEmm@DsI2JJ1q}$aevUiVZI2Xi!hV0*E$| zMCEP>jE=<5Z;NXEpUv?>e0p{Fuoj552;6po@Jt%tR(If;hSB&tDJwZ>YYTFu`RBAI~BMDq2c{YNqN_zC_wk&q-jaTusR+x2FI!w4ZJT2K~83ix?%p0RjrnZ z*89y6xwQ~EB69~8L@$x0Y_T4^pKS3JR8+Jjgw8-Zqsa8GKzpLGKrw1s-YGG7fcVJ@ zgLg#lySh27fXTuLo%5FO^btA=-`S6X-6_T2Z+{WRK_*Ap82Zu)j0l_wTuCf67!#UV zZF*FxnnTA`N3`=c6v=S)<})Y8J6kO*A4&N-<110hXsvpP5-!1B(~7jN&G%MF5xz&na$8E zsX3T341`ywSmrUAoJ5<&ja@m*easQX)&%(0O#wt2B(2xX>b4$dmm+Zdri+edTXREh zC%eJmpxOg}3eLAOC>|CW^9!0ihEr6cpG~lpm)BkdtTThTpbm>;+ARU9%kTt&1`^28LW3 zshWts@~0vud`pHIVc(kn2nscpF?jjhxpX0#HnXxjl2+cDr6TQ!wqzA49=FvjttXK) zC_?DUiRtyTgh_;%^$o#GRd6@5YwBKvTwv|UZ#8x9!U8sU4P{^;No8hKcsdCznUkiA zXx`qS1l5Ek10WMF{m8srzJ^H}#oQ91TiP*d-)MhF6s12AuZ=CqoKdjv@(-@o1sk+; zg0&FPe<$TgruUiFK>~wW!br$7T#a?q1BL$#)t#h8P_cHt4lC4Ct4Xcj5WwUiJzCQi zK@uuxyd&kf72_^%yZj#2v405v??;RG>$TLECIQ8+l2NM1v9tU^nS@DB)PW&&ty+7P zD*0e!zCQ@eIugsN72w4T+7x`SmUuNwf||{>S{dABYbcOOq_co3z=S&j6+AQC z;!lHx-%m#IBrwF*YS2dc0?xPvj<0oa0cP?}HI>?FJ?8E=O!E!(J)C>nq?E}@$UJtFC(XhemX^Y8a8t=B6nfv)nod$Ck?o7V< zD0nSuCzG2PCQI&yCMxj?x!0@47l<7wg$zPxR?M4xSKK`2JG}X2{ zKF?BvoKE7(lmi{(VBgF}rpLaGPA0gT0PK1U4d-ng5XNF9;RxKsDBkK`vxeK~poIWW z=`wKAfuy`eo9QwegrLFY7tshYO=L&t$8V#FRXQQf469~7ZYByZyH%jTF?O2Lk%A%Gvs)JFhWkw zfnR~I78y}XYRThIQl?$rx~dBd_rS5Tu1i<-1AIDknj&g_wnI*mj4@?qCn!stUAF_< za&AhdYQ{(e_AqPcz1x@@B1j~nREmVX5czN&P+hf4Nb8a0Z|_M1rl_1|L~FbuvSkk1 z$@pzg{kuTosf%?Ho~X7{JUvx3;(OsJ;@b!v8vv2|_5^MerlL6$?s*LhNi8AX3jP=? zli#ld64WZH;S(Qvc#f4iCGi9u5M5?apmAhgYvnwvceSQ9koyI!l!hXtH)+lP=pZ}6 zmN-_w^scgL`2q{?hyflwto6iE$(|aoQt1$n3^Oc$ga%|oL*15Ti0l|bky#vjvi(4H zT!ww@fXpxuEu(=<&T#j4&}HDS-i~Z1oL|(wO={Ke!hkIG@pwIjgqDixq!GF~5 zR)CBm;+3O1t??t*hdKxXH|^ZqQN625eNX|pX>^NIQ@^g1OdpA?`R(!S*HBCW68%%3 zw?^Kb5GMQ?qml5k7DGGzc7m#$rz%&>niMhTjjE7dZW-H~m4>QWAEx;wL(PXpxi!pH zkAA)7&N4YOcZ+mSZsLS+;Dn3xOB4^WY6te#$6o|%=@)WND4Cx#X7$5vspsGHO& zdvQp~E@!dFh}h*~FN@`4TV3xgsWktGgJ?Do$}lX%SSyHxz(s)Q_HWmxdBfD3vO?vldhf&~^^FvS^*rQcOFT9;3y=+`~UX_%YW<@Fqdy9uJWS_a5b zh0~YkI?&k9fal2;UWvgJd%bBu7FI+`O}pX9hBNWBDy@q?km9J5ti7LhtbFW4iYcc* zDPt>$imZ4n%5cS1(|qJZ+n>cF9U+;6eK4}qt-j=7TS`LMddn!&_m%bg<%O32fh32? z<4^+21*3|;_2}J4GF2p2@@2N+v=3N>j3Li5;4$jo-w-C#)%`}07_~SYP~PFB_WS4| zYZ%5}Sb~Cj`A$DgVI78T?(hjU-8He6ONCUID_F~#udH3(&dSjWuU=w89??f|SjsS0 zEtH9YOY!bT-^cO5sms$HDscv8UJS*v`U;)Hh>+N&nA3@^?awFKYak2WzFg^mj z9#$96&FPjVZRZf$O!uv5%#})uC`C0!INE|cz;%vaG%f2pJjVk`?1l&=>OSn{d73MJ zbrdi#R{DUv$3WtAnwW)tMxy1g1<2^~I?=!(vR)WM<3t5p-dm5-($P<~_R?;|r0M5& zQ4u4+0NTz|YZq4QrgI0_ZeeILD8n2~FphBn4aZ4o7L)+JwENtJs++Ip>2kjq+Z#<1 zH46S%ai`gd)S7jtI#Nr6JYjqEnWmvDNOw;0c3aR7z*nf*sVN1|XVaQS!$%i-Nvx@d9G&>Or-l+RH3|9FwB5>6 z7x}w`zBXf!X;mkWI6Vh|LG1(EQ4)cg)8p*Rq7Z{Im2s~;Kq6j89|%h-29p4mD=_$S zFu(=n^iC&uHa{4jtelVv@6#v2x(gk~L-z(lqH?A1AGliUOC7m|kxU4SbdKRA$WDCd zpRCf+!98&DLbQ%)5-EYn%>98Y#&o2>sI)7K0I^ZZS*$VoQnY?7h-(3UV7k1(a`eax zKX5$Itq_h2M_?u_rI9G&28Y&@Da1J9ZSlr8>m+q5*q3XPmmiNezs?u@rqJ4hzu*&1 zwU&&_Z}sL@_<4NRZ?@NG%y-?K0N0@POdj2V#H0<}Qce4(`-CANB5j}|cZGu_EUssNGvg3oG_(KG`NAfrYtsWB&}Ore_irB&pM zy^i3A#LDnapwr!f_3Y!CYNWxDv`NU~kG!s-lK_K#Fe?UlxQG%`jNU2NEE~ z+y0_)qto<0nQ0I`gaUfbRyMw)+<0>f5eUn8Dy!}eJ?~}UY+iUW8xDc@KbzuDi4q(k zfgY$rM3Hs>WIm}skjbsA1^rUBwW?P-tXhXPg$4=si|vC1GZwN3y~~M#&{esBNK$P02Obxh9x4_d!%>(*Il;WU7`Z~>GA%LRi$p)u9h4U9;fAjE<6Aa z$0Q&e9PHcT{?Y^1VMM_W+aZ3M|DT^;19ysx9R<5A<-+vdheW_C!t435(rPtO<% z`(a1@+4HPY-xy$+20g4fPu5l9tm<-n6tf^SPnp-_(K@#Axk(EjOAafqzSdp=Ge{2pPibR@zi+xV0z2^lH}OQxvhbrOPKICU$R@1WG_zgs)j zzM3a|@eQlhkxSlg!U@X;@&%VdS@B0=Z=4YZiob7o#ALws2C#M1$6!-l*RhUM)?%1_-REpnqnOhVb)A$ zm#IBgDmkO>{;1mlTuS%p#X)Dl#MLAQ3w=8`g?^kd?%BK(X?w~Rg9Q{&kUMJ}n z*A3$GLu7bz!Hpmbx*%o(9W^W=Z8bvO@1`&NTD7{JF|*CmD(gOV)hNv4*OdmlN47i* zq%A)9Xk)1de_W-s6u+&-6W~jzUrK{6Iwi&u@EEM>oSNyF$Pjr$S&@xcxit^IC>q~M zm^7`y1CnKUfD{i(rqw+fxPa8wrL4J3lD2-1j6Ctnq}|`TdGHS(J>MDF2dn8xC!ogP zckW1{gW=YgQ*s9imq{EXm^-~HImO4eFXCc49VYoDDn2{$R)%&>Dj0t;>nxH8P1nFv zs{LhJ>M6t<>if78Y%gp6rvhQjywIkGE%-juy0Cr%w^t_wSY0;3?SjrCz%qz37Ki!e zLi*+|A$ioRGn!Z*J~Vb0Okwl^r~jyv3qh8{_p{SZ#Jdvtt( zj_6~VH#C}vfZdCjQ)yejj&Ajhv9J+&Jo9+THfp9xEPWL`=vJuxPVOL8KN!4OaC0kI zm?R|UeLyv6N(O88tT??rikvNzBE!w-M>RN;`bi)AtK&CDYSrcsdw1SF2SQ!;V%D_} zv|6ckCsXQlBrI&GcAId3zJ+?_n?{_}^a|Y!B*$zEp}@mWv}|qCw~-#(UCGu`@mp4Y zZ5~OG&G7OCoRR-4kPC101HMj}OMR@aE1H7OR$XO!j_~00vZtBpts4Ut%ER8o)zyjc ze0{6*99Sriab5X9+QEGHc;ei_%*SJc1Y;acOkD6+)-cYPhQcp+b9=7LzAeeIs!`i| z1UZ(VH(8MLxufwp3g5s+BvX(}t?p1zkswqXs$06iR#wBG4T3|2FS)jt2J$ z{+yRmU`i#%@N06d3~*eL<1fHJpzujS`s(qd);_I1?_1px`0Utkis&eV0Lv3Jx`5TvlIK zm}@SYMV~OUZE(6L;bbs8agN0jF16@kaWs1v?V{kN@MuZFdAZ61LkUM$v8t$o2T+IB zmC`b}!ZXd@bOc>w=7=-*_Z`kKt+@Ec!V~vo6jpJyo%k=XU~e&pufpQ-Y)*3td3YRo z_$RQ&@|*G+tL%bhHGH=EEas!H55ku%<8`5kMso(laCY#R8s5MG?{lB8oUsMV_Ru_u zrKD7QzS-y7unzyz0^Zy6ZrE$Sp#{H2#h2HgjEYz78JcFbJRvjhiPdztQ^c&=$4Gld z(_tcRbcCXln3k05L$psUZ#1FLsFLcdqJzB^eHvAJ7Kn&W%a2XNv2>7XAGiE43Z5aV z)8k&THS)>4Xzv&j6Ro1di$_-UQ1G_9rIY+}=Jx5ysstwI#((m=p4R|JD0B5_Z+nQh zYRoWqsBHOYZ_>7(fI%?WQU~~L->zcfJn!HaeI>b;AI3-oUh8=it)$Ojn#7oL2@kM| z`TAADvFo*rp#v^^w0|oUF6*;K)uo5X?4{$mB3%=n>O9e;_sXn2RiqT{n4$d) z_04=U7bytmVPQ&&9LuJL6Pxo#wWP_=UfD=;Skw^K7X@dmhd)WTvuSxkS&8_}W{<^+ zEr0QrbW)P@i6@|5k%K~Yd@wcd1eR?nEMhCkaT=Ns6uH3jOp_L!z@lOdAXem9^DO5q z;hyg{vmQDo(hrrJ^t2P0wH2$uD{^D93vv?Pt-bRyz%~qZ_EerwUT?R@2E~l#eR430 zKg0VUWN6RrE*e83&})gyN1##9g&Iz1hQ`>KiWV*gZMKfK!G1KD z_aO^5g-LHxQfP%~0I2N-8e^EoVDk+^ISJqAh=KW&U0iU3E6?}1SqkrXPHe3DSO@cw z_ce+Q3oWw__d>cB%pEm3ro3UL5J@gDLNhI;Zk4FL)o9i8=yoLq?2{H2FQtgg8-Egh zz>DF=r{KI+n6b}%JDS`|YWg-zXD`vPk6~Wf#dL+)7+Y0mAqC$8R|bNf$zfF}_+))~ z6IeXpsl=OT4bwS0mbTbi?~LIQ)K(Yw3g+I^YC3oD_I2DUFD%7cJwB4H^+vnO&hJ9=Wox+8Hgk!%1eVIiVc`*X|CnJ6U`EVqOmNej__YjxSk* z@hftCnjTzK#nmewP0eE>2zge2X7gwBFBf7wUyEn zaOSAwos3|k;4_T?i;AZE1C78kkclJd#41K3SDGR;7y#0iNv^(!IHk?_8^A8 zdS1%a3oTAd9+(uT;SR2UtF0*DSbs2bqGZk!mKKmP=g#=0*ouk@axmj#u~ET!Jzuf7h;t?9_@0rLy@XrFz9+@r@okoywC4k`!g@dgo_x#WE5+p-EXzRb zxwy35i!Dx~d8S%s<&*{5C@Le+Bz!g>`4%Mjr}8IqhVhhwg>LuOjX{Bb#AjIPAaYU$ zh1uP6D>K%SHgIJgGnPWW(qd|NCU>9H!n9;+q9lp&DU@v+)Rh|aL*PB=iX6``Tj3=^ z4wheT^&|y3%ec}~mgJx&TKzUb&e2#*MUi7@Dc=Sz$YCC|x66_oa|C5)6giqAG1?V5 z`f#aOg~rLt$H)t`+}_D*ZkcN#FS!-Is48mMnJ%scfhjnBAs;22Z%v{(&Cs1aUw^P< z^ojkU%Uh;-W>D1REX(Z_4d;!5DQaS2d9gIO8an2RXC%Sm>lq=KwpX%OG@gw4>Q_=T z9Zt2X(^#PZ3Z^P}2~5mf6&t2+^e!&gv|?5@scG-|b|wmPG;t+-ra-*s?*8B;C36R6 z>9M_aR}oll`9x%_YKHA`wF@}&pzt-#fcNzjQ_I_N2*Z3Lp`#_94zXUEKud{v(8CI? zw6td$jVZQyh(AZ8hqx6sJ)_lDOR}Y`IMA3Ga&ww$E1dwP9j)ilW z^=LuPF{@cIiX4-_q+As_3^l7T339fhZE1X*BIlbsVih@jYiyM+=hE@D7Gtv{Ijk;b z^wi||)W^paIU3qbdn?JscA~BO4sJ$nruqD1(LafqDkWOxHF8;vAos%URQ8JITOyU} zr}KqB!*gbOJt6#2VNSyPu6|;ZjE2t^D{p+UfFA7jt+IR_t=j=}J%d|3?@MMj;7N#Y z&uOp;)!gpsbkkjQW?A*z`aAefb8vfKfBj(-WFu3V?248Du3&3QtJZqJ-|q0rdOk+A zw}mf5tAac3+gx!1&N}Km9+&hz-$q!c+VgF9D`6|(nfarure7FNO7mX8VJ|^U)!y*~ z7&su|ExTH(QqER$xM+D8U*0Ow$o82faOjSU_LTuQ?$rNs0`^&knUAh%^k%>B)AP7X z^DIIR1#r6Os4V8jTn^a87LB26sqFea2bOMX9Cgz+zxluxD>alC3oU zOgXTX{_2ezb=R(O+V^$vuN%1X_RC0cW$E%(+W10*_pYorB3i?sZh53M9245MqSO~M z%qiL;r)7J`K>m7?{eAnSWA5}0;Qa#B=+7-$fBg1`H!q+4{fA$E`pn090nAeS#kjV8Eu^&%=Zw*WKNQU{HdcHTI(x~|=| z1!&}};?k)=(TuwegxfpUI+;%`TD%XIN<20*^+gX z7TQ#AI%|G*fOb1Ay9nv7f0!*wTXS&3dV6K*!~=o|mRK)w6JsrLW3f^C-5wENf9X;q z_qCo*r;&5c2U71pZUJ0eT7Gu6hg?99(djimSVaH6uX0{d8>id57SPmgyur^e0N&gL z#Iu%^R11C#dL%SZcXZ?nfaPs0?|{y>EBvPdYkn*7`GEV8THBN6Q><~<@Y7|w&(`V@ zwNvbpmYZ%5sad157uWfM#w}pbjgn09xf|iw|xq{$~(YIw_WB2~k-cn06 z#U($y$#Fz$VL9dNY{kCkROw^bbgvElu|Xl2p~h`1&5*5&UY4n3vuWymZO}+L59sM^ zcH8XJB;agWt3t(rum)}r*L;*waS5fzEOg24rx72bfNP4`?_%sUZ4EG%NiatmFd5rm zZn+^Ikty5Qd?~{F(|ilH-gRoXw{$Vz?N(Z8cQ`*A4=_S;HUw*=ZLfm@1izyDh1R2uxdk@I27FEBArqjJ`Bv3*5uDD&tUUjTSr`I&E@eX?-W3qNuR$oq{pSI z*jEnt4>N^0`S2&A8q|=v?iQvg=f$3eCfbC>CGVenZ0bt!iONP(R%}gPAY;zoNi^0Z z6O6hmA`Q^N&gn2~yUOyG+5?qZNdBii{_CwDKlHy4oEGCXHy{Iq>pG|(#g0XX%MJx9 zI_g&adVwSv3CFJ|e>#!m{st0MQe44LLN#6bo!I$}WybG5v;D}WPQ;xI#yc(}w_4~6 zXpEjfTf!EfPEO1^Q7um`BzJW+X?)XGpY5oGC(6$}Uee^^wdfg-DGNk*dCe6Ikr3B1 z9Dj4yo@y5D@j6L3UEc>bu+-cCV8J&cPV`>jmfpShq2xT)j$Jd;F>pZ!$9-w5MiJ!i z+CheTRXCp|m+e zyMBk}{ZXw9Jb}^tt4dKZ+%p@g%~~bw2`EyEu9!9$>-eP!cN7uU&MWj6892EwWt-RA zC$ZF6cvh?^s@t%8)EcnhT6J0IYWb~<6PEyo^L-9~hPNc3l1&SCZ?3v6O9g%;#tV!> zXb!CL2=C}h(tEEYY4Iwy$>ReMib-mraq4d;OIzIiSa!XP92#kd>Yx6aRyEZo;iVu= zCu^|Mdv1gBntQDeQ|ID_#yvarY*mI95taCfBAiaW=(Y0BCD?`dIDkwxaX&%~0?2&= z_-op4dbUbJT2DYzbW2?(;uU-rbiFKV`uEd%Id1;sxZty{q7faoiYJO*p9^*;?xYrm7$mi})%Ngu8t9hlm?Cmr8=b)b zeuZx^H@HM_Dpnw>;X%>C*!}%c82{p=iZCt@L3lxrHt2VBK7DkYKXQXAP_tr3d4_Hi zRuF$)$gE9T{SiI-qnd8Bg2mqrDYRU50~oLn_r0iSJB&I@rtclH*DH%wrQ<%)=?k%2 zIq%b9=#pN?pW!Q{p~OyahFJ`Fe=pw4-tE+#`jSh}6CtT2I~KE=^+JAsF@dtObx6qqh=2**Te}9*LWU0`%I|ZSSMkx@sTHw4`YO&&P{NBv#gU9-{Hjpvk~2|TU!9{T z(C;q$gN7H$U416Hlkx|ArFtFKNNw{)GqY_FltoRJ?c=j0Yvmwi4!kou0NN@9d| zC!3xWIf4Mut_8@!?eXHO+1%{IVi_q@K$ zW=E`hpY-J&3tIMq54z>V9)34@QX|q~iIXf!{J@}3Kjm>H%h~2!+sdRNLt%7O-ntr3 z<&!n5&`cl zlIP?|lA-d#WjbMW_Bcj zE$q8A*{Ae zWqZPlHRyq!-lp(4Uke@~r#hPC%O|(&e7pfR?40s`7)c~fG(OePiqx@HIVk!f5jhiT zSkRl4J{XqHp2?f%HL68*ROBejmzO2pD7WH8h5(EAsyhyHP+N4~s}q=bo6deJHlePq zb!PCwzF-$nT9Ig<)cn#(ujx?S0pVTQj1%&tuF9F!;k$@;O6QY~$DR4%JYj0MmlEeA zZDV*XdE}3XGJXa%d5$)DIuZT~Irgo16#;GUj!-(Yrx4!BRPJeOR>3Ts*AY;Bc8bfJ zAoh#Bh{)r94$k>mh1>J9FV)(hEQ0?6zHGO4z`$EOnW~!q0?e3l(&UlH)tH54K8#O} zfZ||SWJ>H8Sdj5g$t!^PkCuPizW`RJIqZ+t-vCx?OAcc~?vEB0F#Dr*WrXc7txFk< zZN5KR*j%N5XT#>g8lhUo-5JB%dF&-h3AOlsjNK&Vd8p=HGv8OwQZ&yVEX%xY;JkR( zy`%j38?TfU;A4}RQNt`%LuR1RmUznC6U_PH-*wuN`vA~nMb#M`cXe*$A(DTJMiC0g z^ARNUAGyLU2p1pO2kaX$k?2Qtu{4o6Ri^n|54CO?baDGicrop+1yr!Qlk50-+0tFv z*OkqX3X~FJ^V^y%(Wr02NV^!fhGDxIjoJ%*6oX5PE^2!ep#pb@OousyfpSuBXesrW zt^`pEHr`8B)f9+drWopm)37(*{w4SEz0zL9>K$Di!N%KIEK-Ub^Nsj5?t%L=d?c(v5YNm)VHB%27L1&anTM@N0W=WH)^Z2m6F?3<$ES88*u9(NLqWF{s zqnIN;Qm;_F{RaTyvpb?_Fw4K~U*M`F&g%*g@$0{s7(Jf<(0lo(Bo?Upqm{0zX^Qw8 z!0MR&(fS*>(jvo{ApN6t1z@Zruv%CnH!&`;CHpuyi^moI%665D;ZHVfF02tvYi$SR zCl09F9_5B2VY}V;&3+jUM|BM5d8<0S(=yc+y4l*cNNidAMcx1P9viMReYBALOew%ODO+Lvj0rHnt~e5xP8wY%2fk+EsJ_XgEr%?eo98_W#+O81SE-$YENH zEy;p;8r$A~_L&`1GL)|JpY6ozJ-}#*QNaIWO8#MEjbJC_YJ{+@#fSKKMMYVvzcpSh-tD>!zg+%LK>l)R`njI0QAE71;)6>pV|->D_J>;fLT8q>Ci z%+S~E?{#}kI*=`7DbBnNV%*?L5sKMsvy|u*-QcbdIdM1FOiRL-^5$a-Y^{v8086AF zXJ>RbclUhgc{mI~)#x$4Lx@uo{9wc!D!*me^>|#?1kQ&?SEf`~tT~65L7c)(Gi$j(x(-(z@r6vpnP4}p1~W4v4XKD=vdy* zU5*p6#R>DXadHV-@N_upK>4aA*hgP_27;nzl_W~#kHM1X8rZjj?ckmL!uMzMt40uh z%%}1ofe*pd?I@}|OKY0QdDWp2;EhTF4S-s-B$53VH`fw<2O$x%NG9U1`vPmW&y=_j99l>q|<{vfchsu!Qn6 zhHyA88#1>X9+&K%fE?z({jr{BejPtR_AUDXfrh?KBr4p1%w`_9n>jJvQGmfxm;q|J zE#n7a2~XKulojC(v>_@%nn>8r0xle<^R~&G*aMejMT(YmFt-9;96VkCoPt~5qa|H- zwWoDT`L0evNFrTewbtx-<@PlJnMv*C0Y+VtL~}6#cr$Ebtm`pS4$v}dhz6SSn)Y%_ z8<9{WAA2C~0SAf>S>ueh>&oFm90|qqTrQ?DwOzCKdHwr%F1IxiBf$hU?ow*5)##K5 zrR!u;oHF}bhj4mb5(7U5zzI*BeVcAOl5J1Mol}N}xBo0!_y!@)b(z&z1AYq|jo~Im z*00=wetTKv{`>8@I8nxa0&u9r^90C4($G5#^2LSQ)|N0+>!b%~wyXt^sBUDwZTskj zf*CAC|A%g@J4)Z<>t-2vqHFe^ONoO1MW0oUgvoCXK-bTL2jfilkG-YvguA}D^8W2cs?(?P<^0c7;~1g-Wuf4XeDST$|qv?W7WC5Uv5 z;Z?+mkz`vUOb6-e1ZK&q;O`FWFL={1#UZ9-;H-G0 zRmZ-bhFEN6|)8C;0A?hYtDFjcb9z#>96hcw{M%CA8z~PzRJH2b%pISX*NIx@y za-%a3vxUMqtcd!ASb7pA9(B{_C_BBEnE6@ndO~LLy|Anqu^pr*go!e290q23?N5K+ z=-Ks(g%yUL+fdozCR=t(=qTD9Bl1=lK6LkFd}Us>g&*J{M&)gAFScrpKwq*gX8CB& zijLcbCr=&HO^>?9qoiqKh4lXU(!zwgFPX0gUOn`Zt7MfsPU9|C; z$>o?#1l#o2xl>+=Zu$gH@=J0P+sct51L4z6r!BPIfG-X@JL>az^tX(3+`m>F&M-MD zqW9cK#W`KMNGYQ)iKO!U54U%J;AA#KKs#gg9mtdJrQT7tR_WRYnX4m X5upAQIrM&H9-3CUi@FZFcJ2QF3#!H1 diff --git a/relatorio.tex b/relatorio.tex index 283c6b4..f254c87 100644 --- a/relatorio.tex +++ b/relatorio.tex @@ -4,7 +4,7 @@ \title{Practical Assignment \#1} \author{ - João Neto -- \\[1em] + João Neto -- 2023234004\\[1em] Vasco Alves -- 2022228207 } @@ -14,16 +14,50 @@ \newpage \section{Introduction} - +O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10). +As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98). \section{Firewall} -Sigmasigmaboy123 -\subsection{Packet fileter with NAT} -\subsection{Packet filtering without NAT} +\subsection{Packet fileter without NAT} +O policy que foi escolhido foi: +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT +Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho. +Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos: +sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT +sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT +sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT +Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos: +sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT +\subsection{Packet filtering with NAT} +Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que quer aceder a rede interna e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos: +sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT +sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3 +sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2 +sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT +sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT \subsection{External Network} \subsection{Internal Network} \section{Intrusion Detection} +Suricata rules: +drop tcp (dollar)EXTERNAL-NET any -> (dollar)HOME-NET any (msg:"ET"; flags:S; threshold:type both, track by-src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;) +drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;) +drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;) +drop tcp any any -> any 80 (msg:"XSS"; content:"